How-To Alpine Wall: Difference between revisions

From Alpine Linux
(added ip6tables to runlevel defaults)
(added links to see-also section)
 
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= General =
[https://git.alpinelinux.org/awall/about/ Alpine Wall User Guide] is the official source for details about the syntax. The purpose of this page is to illustrate Alpine Wall (AWall) by example. This page explains AWall from the viewpoint of a Shorewall user.
Purpose of this doc is to illustrate Alpine Wall ({{pkg|AWall}}) by examples.<BR>
We will explain {{pkg|AWall}} from the viewpoint of a Shorewall user.<BR>


{{pkg|AWall}} is available since Alpine v2.4.<BR>
== Installation ==
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.


Some of the below features and examples assumes that you are running {{pkg|AWall}} version 0.2.12 or later.<BR>
Install the {{pkg|awall}} package and make sure you are running the latest version by running the following commands:
Make sure you are running latest version by running the following commands:
{{cmd|<nowiki># apk add iptables awall
{{cmd|apk update
$ apk version awall</nowiki>}}
apk add -u awall
apk version awall}}


== Structure ==
== Prerequisites ==
Your {{pkg|AWall}} firewall configuration file(s) goes to {{Path|/etc/awall/optional}}<BR>
 
Each such file is called ''Policy''.<BR>
After installing AWall, you need to load the following iptables modules:
{{note| {{pkg|AWall}} versions prior 0.2.12 will only look for ''Policy'' files in {{Path|/usr/share/awall/optional}}.<BR>From version 0.2.12 and higher, {{pkg|AWall}} will look for ''Policy'' files in both {{Path|/etc/awall/optional}} and {{Path|/usr/share/awall/optional}}}}
{{cmd|<nowiki># modprobe ip_tables
You may have multiple ''Policy'' files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''.<BR>
# modprobe iptable_nat    #if NAT is used</nowiki>}}
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
 
{{note|{{pkg|AWall}}'s ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}
This is needed only one time after awall installation.
An {{pkg|AWall}} ''Policy'' can contain definitions of:
 
To make the firewall autostart at boot and autoload the needed modules:
{{cmd|<nowiki># rc-update add iptables
# rc-update add ip6tables</nowiki>}}
 
== Configuration files ==
 
Your [[Alpine Wall]] configuration files go in {{Path|/etc/awall/optional}}. From version 0.2.12 and later, Awall will look for ''Policy'' files in both the former and {{Path|/usr/share/awall/optional}}
Each such file is called a ''Policy''.<br>
 
You may have multiple ''Policy'' files. It is useful to have separate files for eg. HTTP, FTP, etc.
The ''Policy(s)'' can be enabled or disabled by using the command: {{cmd|<nowiki># awall [enable|disable]</nowiki>}}
 
An AWall ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
Line 27: Line 35:
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''


== Prerequisites ==
== Basic home firewall ==
After installing {{pkg|AWall}}, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat    #if NAT is used}}


This is needed only the first time, after {{pkg|AWall}} installation.
The below example shows the "Basic home firewall" configuration for both Shorewall and AWall. Based on below example, it can be clearly seen that AWall ''Policy'' files are not equivalent to Shorewall's {{Path|/etc/shorewall/policy}} files.  


Make the firewall autostart at boot and autoload the needed modules:
=== Shorewall configuration ===
{{cmd|rc-update add iptables
rc-update add ip6tables}}


= A Basic Home Firewall =
Let's suppose you have the following Shorewall configuration: {{cat|/etc/shorewall/zones|inet  ipv4
We will give a example on how you can convert a "Basic home firewall" from Shorewall to {{pkg|AWall}}.
loc  ipv4}}


== Example firewall using Shorewall ==
{{cat|/etc/shorewall/interfaces|inet  eth0
Let's suppose you have the following Shorewall configuration:
loc  eth1}}


'''/etc/shorewall/zones'''
{{cat|/etc/shorewall/policy|fw  all ACCEPT
<pre>
loc inet ACCEPT
inet ipv4
all  all  DROP}}
loc   ipv4
</pre>


'''/etc/shorewall/interfaces'''
{{cat|/etc/shorewall/masq|eth0 0.0.0.0/0}}
<pre>
inet eth0
loc  eth1
</pre>


'''/etc/shorewall/policy'''
=== AWall configuration ===
<pre>
fw  all  ACCEPT
loc  inet ACCEPT
all  all  DROP
</pre>


'''/etc/shorewall/masq'''
The equivalent AWall configuration that does the same thing as the above Shorewall example is given below.
<pre>
eth0  0.0.0.0/0
</pre>


== Example firewall using AWall ==
Create a new file called {{Path|/etc/awall/optional/home-policy.json}} and add the following content {{Cat|/etc/awall/optional/home-policy.json|<nowiki>
Now we will configure {{pkg|AWall}} to do the same thing as we just did with the above Shorewall example.
 
Create a new file called {{Path|/etc/awall/optional/test-policy.json}} and add the following content to the file.<BR>
{{Tip|You could call it something else as long as you save it in {{Path|/etc/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
{
{
   "description": "Home firewall",
   "description": "Home firewall",
Line 90: Line 74:
     { "out": "inet" }
     { "out": "inet" }
   ]
   ]
}
}</nowiki>
</pre>
}}
The above configuration will:
The above configuration will:
* Create a description of your ''Policy''
* Create a description of your ''Policy''
Line 97: Line 81:
* Define ''policy''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}}
 
{{Tip| {{pkg|AWall}} has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}
'''snat''' means "source NAT". It does <u>not</u> mean "static NAT".
 
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}


=== Activating/Applying a Policy ===
=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list                  # Listing available 'Policy(s)' (This step is optional)
{{cmd|awall list                  # Listing available 'Policy(s)' (This step is optional)
Line 108: Line 95:
If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.
If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.


= Advanced Firewall settings =
== Advanced configuration ==
Assuming you have your {{Path|/etc/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
 
{{tip|You could create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples}}
Assuming you have your {{Path|/etc/awall/optional/home-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
 
{{Tip|You could also create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples}}
 
=== Logging ===
 
AWall will ''(since v0.2.7)'' automatically log dropped packets.


== Logging ==
{{pkg|AWall}} will ''(since v0.2.7)'' automatically log dropped packets.<BR>
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are using Alpine 2.4 repository ({{pkg|AWall}} v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
 
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}


== Port-Forwarding ==
=== Port forwarding ===
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".<BR>
 
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".<br>
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
<pre>
<pre>
Line 128: Line 120:
</pre>
</pre>


Lets configure our {{pkg|AWall}} ''Policy'' file likewise by adding the following content.
Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
<pre>
   "variable": {
   "variable": {
Line 148: Line 140:
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|{{pkg|AWall}} already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}


If you need to forward to a different port (e.g. 8080) you can do:
If you need to forward to a different port (e.g. 8080) you can do:
Line 158: Line 150:
</pre>
</pre>


== Create your own service definitions ==
=== Create your own service definitions ===
 
{{Note| You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}}}}
 
You can add your own service definitions into your ''Policy'' files:
You can add your own service definitions into your ''Policy'' files:
<pre>
<pre>
Line 165: Line 160:
   }
   }
</pre>
</pre>
{{Note|You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}} }}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}


== Inherit services or variables ==  
=== Inherit services or variables ===
 
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
<pre>
Line 174: Line 169:
</pre>
</pre>


== Specify load order ==
=== Customize policy loading order ===
By default policies are loaded on alphabetical order.<BR>
 
You can change the load order with the keywords "before" and "after":
By default policies are loaded on alphabetical order. The load order can be changed with the keywords "before" and "after":
<pre>
<pre>
"before": "myfirewall"
"before": "myfirewall"
Line 182: Line 177:
</pre>
</pre>


= Other =
== Troubleshooting ==
== Help and debugging ==
 
If you end up in some kind of trouble, you might find some commands useful when debugging:
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall                # (With no parameters) Shows some basic help about awall application
{{cmd|awall                # (With no parameters) Shows some basic help about awall application
awall dump            # Dump definitions like zones and variables
awall dump            # Dump definitions like zones and variables
iptables -L -n        # Show what's in <code>iptables</code>}}
iptables -L -n        # Show what's in <code>iptables</code>}}
== See also ==
* [https://git.alpinelinux.org/awall/about/ Alpine Wall User Guide]
* [[Zero-To-Awall]]
* [https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-awall-on-alpine-linux/ How To Set Up a Firewall with Awall on Alpine Linux]




[[Category:Networking]]
[[Category:Firewall]]
[[Category:Security]]

Latest revision as of 13:10, 22 May 2025

Alpine Wall User Guide is the official source for details about the syntax. The purpose of this page is to illustrate Alpine Wall (AWall) by example. This page explains AWall from the viewpoint of a Shorewall user.

Installation

Install the awall package and make sure you are running the latest version by running the following commands:

# apk add iptables awall $ apk version awall

Prerequisites

After installing AWall, you need to load the following iptables modules:

# modprobe ip_tables # modprobe iptable_nat #if NAT is used

This is needed only one time after awall installation.

To make the firewall autostart at boot and autoload the needed modules:

# rc-update add iptables # rc-update add ip6tables

Configuration files

Your Alpine Wall configuration files go in /etc/awall/optional. From version 0.2.12 and later, Awall will look for Policy files in both the former and /usr/share/awall/optional Each such file is called a Policy.

You may have multiple Policy files. It is useful to have separate files for eg. HTTP, FTP, etc.

The Policy(s) can be enabled or disabled by using the command:

# awall [enable|disable]

An AWall Policy can contain definitions of:

  • variables (like /etc/shorewall/params)
  • zones (like /etc/shorewall/zones)
  • interfaces (like /etc/shorewall/interfaces)
  • policies (like /etc/shorewall/policy)
  • filters and NAT rules (like /etc/shorewall/rules)
  • services (like /usr/share/shorewall/macro.HTTP)

Basic home firewall

The below example shows the "Basic home firewall" configuration for both Shorewall and AWall. Based on below example, it can be clearly seen that AWall Policy files are not equivalent to Shorewall's /etc/shorewall/policy files.

Shorewall configuration

Let's suppose you have the following Shorewall configuration:

Contents of /etc/shorewall/zones

inet ipv4 loc ipv4

Contents of /etc/shorewall/interfaces

inet eth0 loc eth1

Contents of /etc/shorewall/policy

fw all ACCEPT loc inet ACCEPT all all DROP

Contents of /etc/shorewall/masq

eth0 0.0.0.0/0

AWall configuration

The equivalent AWall configuration that does the same thing as the above Shorewall example is given below.

Create a new file called /etc/awall/optional/home-policy.json and add the following content

Contents of /etc/awall/optional/home-policy.json

{ "description": "Home firewall", "zone": { "inet": { "iface": "eth0" }, "loc": { "iface": "eth1" } }, "policy": [ { "in": "_fw", "action": "accept" }, { "in": "loc", "out": "inet", "action": "accept" } ], "snat": [ { "out": "inet" } ] }

The above configuration will:

  • Create a description of your Policy
  • Define zones
  • Define policy
  • Define snat (to masqurade the outgoing traffic)

snat means "source NAT". It does not mean "static NAT".

Tip: AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.

Activating/Applying a Policy

After saving the Policy you can run the following commands to activate your firewall settings:

awall list # Listing available 'Policy(s)' (This step is optional) awall enable test-policy # Enables the 'Policy' awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)

If you have multiple policies, after enabling or disabling them, you need to always run awall activate in order to update the iptables rules.

Advanced configuration

Assuming you have your /etc/awall/optional/home-policy.json with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.

Tip: You could also create new files in /etc/awall/optional/ for testing some of the below examples

Logging

AWall will (since v0.2.7) automatically log dropped packets.

You could add the following row to the "policy" section in your Policy file in order to see the dropped packets. 

{ "in": "inet", "out": "loc", "action": "drop" }
Note: If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!

Port forwarding

Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".
With Shorewall you would have a rule like this in your /etc/shorewall/rules: 

#ACTION  SOURCE  DEST               PROTO  DEST    SOURCE    ORIGINAL
#                                          PORT(S) PORT(S)   DEST
DNAT     inet     loc:192.168.1.10  tcp    80

Lets configure our AWall Policy file likewise by adding the following content. 

  "variable": {
    "APACHE": "192.168.1.10",
    "STATIC_IP": "1.2.3.4"
    },

  "filter": [
    { "in": "inet", 
      "dest": "$STATIC_IP", 
      "service": "http", 
      "action": "accept", 
      "dnat": "$APACHE" 
      }
    ]

As you can see in the above example, we create a

  • "variable" section where we specify some IP-addresses
  • "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!
Tip: AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. (see /usr/share/awall/mandatory/services.json)

If you need to forward to a different port (e.g. 8080) you can do: 

"dnat": [
  {"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 }
]

Create your own service definitions

Note: You can not override a "service" definition that comes from /usr/share/awall/mandatory/services.json

You can add your own service definitions into your Policy files: 

"service": {  
  "openvpn": { "proto": "udp", "port": 1194 }
  }
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!

Inherit services or variables

You can import a Policy into other Policy files for inheriting services or variables definitions: 

"import": "myfirewall"

Customize policy loading order

By default policies are loaded on alphabetical order. The load order can be changed with the keywords "before" and "after": 

"before": "myfirewall"
"after": "someotherpolicy"

Troubleshooting

If you end up in some kind of trouble, you might find some commands useful when debugging:

awall # (With no parameters) Shows some basic help about awall application awall dump # Dump definitions like zones and variables iptables -L -n # Show what's in iptables

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=How-To_Alpine_Wall&oldid=29881"