Since my Allsky camera is publicly available via Apache, secured with Let’s Encrypt and its own subdomain, I also wanted to harden the Raspberry Pi a little at network level – without risky experiments or unnecessary complexity. NAT provides basic protection for IPv4, but ports 80 and 443 in particular are publicly accessible. In addition, bots, scanners and automated requests generate unnecessary traffic.
My goal: a pragmatic firewall that allows real access, reduces bot noise and does not interfere with Let’s Encrypt. Here is the IPv4 part first – you can find an additional post about IPv6 here!
IPv4: Minimal firewall with rate limiting
The initial situation with IPv4 is simple: the Raspberry is behind the Fritz!Box and is made accessible for HTTP/HTTPS via port sharing. Nevertheless, it is worth setting up a small local firewall to slow down unnecessary requests. I use iptables and rate limiting for this, which effectively restricts bots but does not affect Let’s Encrypt.
Setup steps (XXXX for SSH must be replaced by your SSH port!):
# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow already established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (adjust port if necessary)
sudo iptables -A INPUT -p tcp --dport XXXX -j ACCEPT
# Rate limiting for port 80 (HTTP)
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW \
-m limit --limit 25/minute --limit-burst 100 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
# Rate limiting for port 443 (HTTPS)
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW \
-g limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP
# Optional: Set default policy to DROP
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
This means that only the ports that are really needed are open. Attackers, bots and aggressive scanners run directly into the limit or into the DROP rule. Let’s Encrypt is not affected by this, as only individual HTTP requests are required for each certificate.
Save rules permanently using iptables:
sudo apt install iptables-persistent sudo netfilter-persistent save
Why IPv6 is also important:
While IPv4 is structurally protected by NAT, IPv6 is always globally accessible without a firewall – completely without port sharing. This is precisely why an IPv6 firewall is not a “nice to have”, but a must. You can find all the information here!