Contents
Gateway Overview
An IoT gateway acts as a security boundary between IoT devices and the internet, providing:
Gateway Functions:
- Protocol translation (Zigbee → MQTT)
- Firewall protection
- VPN tunneling
- Local data processing
- Device authentication
- Traffic monitoring
Hardware Setup
- Raspberry Pi 4: Gateway controller
- Dual Ethernet: LAN/WAN separation
- USB WiFi: IoT network
- LoRa Gateway: Long-range sensors
- Zigbee USB: Smart home devices
Firewall Configuration
Set up iptables for IoT network protection:
#!/bin/bash
# /etc/iptables/rules.v4
# Flush existing rules
iptables -F
iptables -X
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from management network only
iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT
# Allow MQTT from IoT network
iptables -A INPUT -p tcp -s 192.168.10.0/24 --dport 1883 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.10.0/24 --dport 8883 -j ACCEPT
# Allow DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# Forward rules (IoT to Internet)
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block IoT from internal network
iptables -A FORWARD -i eth1 -o eth2 -j DROP
# Enable NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forwardVPN Setup
WireGuard for secure remote access:
# Install WireGuard
sudo apt install wireguard
# Generate keys
wg genkey | tee privatekey | wg pubkey > publickey
# Server config: /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey =
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
# Client (remote admin)
[Peer]
PublicKey =
AllowedIPs = 10.0.0.2/32
# Start WireGuard
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0 Network Segmentation
Separate networks for different device types:
| VLAN | Network | Devices | Access |
|---|---|---|---|
| VLAN 10 | 192.168.10.0/24 | IoT Sensors | Gateway only |
| VLAN 20 | 192.168.20.0/24 | Smart Home | Gateway + LAN |
| VLAN 30 | 192.168.30.0/24 | Cameras | NVR only |
| VLAN 100 | 192.168.100.0/24 | Management | Full access |
# dnsmasq for VLAN DHCP
# /etc/dnsmasq.d/iot.conf
# IoT Network
interface=eth1
dhcp-range=192.168.10.50,192.168.10.200,255.255.255.0,24h
dhcp-option=option:router,192.168.10.1
# Smart Home Network
interface=eth2
dhcp-range=192.168.20.50,192.168.20.200,255.255.255.0,24h
dhcp-option=option:router,192.168.20.1Security Monitoring
# Install security tools
sudo apt install fail2ban rkhunter chkrootkit
# Configure fail2ban for SSH
# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
# Network monitoring
sudo apt install ntopng
# Log analysis
sudo apt install goaccess
goaccess /var/log/nginx/access.log -o report.html
Security Hardening:
- Change default passwords immediately
- Disable unused services (Bluetooth, WiFi if wired)
- Enable automatic security updates
- Use SSH keys instead of passwords
- Enable fail2ban for brute-force protection
- Regular security audits
Next Steps
- Add intrusion detection (Snort/Suricata)
- Implement SIEM for log analysis
- Set up automated backups
- Create disaster recovery plan