Raspbmc: iptables

By default, all requests arriving at the pi, coming from the internet (WAN), are blocked. Only requests coming from your local LAN are allowed.

To do this, Raspbmc uses iptables. It’s like a firewall, and uses a set of rules to determine if a request has to be blocked or not.

Interested to see your current iptables rules? Use this command:

iptables -L -n

If you want to allow a port, to be not blocked, you have to add this to your iptables. The following bash command is an example that allows all tcp requests to the port 5050:

iptables -A INPUT -p tcp --dport 5050 -j ACCEPT

However, every time you restart your pi, this rules are flushed or emptied. That’s why we need to add them to a script, that gets executed on every boot. That script is: /etc/network/if-up.d/secure-rmc.

Use:

sudo nano /etc/network/if-up.d/secure-rmc

Change/add the ports you want open, to the script. I’ll add 5050, 9091 & 8888. That’s for couchpotato, transmission & BitTorrent Sync. You’ll find the block at the end of the script.

if [ "$IFACE" != "lo" ]; then
    NETMASK=$(get_subnet $IFACE)
    if [ ${#NETMASK} -eq 0 ]; then
        logger -t secure-rmc "netmask not found"
        exit 1
    fi
    iptables -A INPUT -s $NETMASK -i $IFACE -j ACCEPT
    iptables -A INPUT -p tcp --dport 5050 -j ACCEPT
    iptables -A INPUT -p tcp --dport 9091 -j ACCEPT
    iptables -A INPUT -p tcp --dport 8888 -j ACCEPT
    iptables -A INPUT -i $IFACE -j DROP
fi

Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.