How-To Alpine Wall: Difference between revisions

From Alpine Linux
(firewall autostart)
(→‎Structure: fixed the dangling }})
 
(44 intermediate revisions by 8 users not shown)
Line 1: Line 1:
'''DRAFT'''
= General =
Purpose of this doc is to illustrate Alpine Wall ({{pkg|awall}}) by example.<br>
We will explain {{pkg|awall}} from the viewpoint of a Shorewall user.<br>


Purpose of this doc is to illustrate Alpine Wall by examples. Please see [[Alpine_Wall_User's_Guide]] for details about the syntax. We will explain AWall from the viewpoint of a Shorewall user.
awall is available since Alpine v2.4.<br>
Please see [https://git.alpinelinux.org/awall/about/ Alpine Wall User's Guide] for details about the syntax.


Your firewall configuration goes to '''/usr/share/awall/optional'''. Each file is called ''Policy''. ''Policy'' files are not equivalent to /etc/shorewall/policy file. An AWall ''Policy'' contains definitions of variables (like /etc/shorewall/params), zones (like /etc/shorewall/zones), interfaces (like /etc/shorewall/interfaces), policies (like /etc/shorewall/policy), filters and NAT rules (like /etc/shorewall/rules). You may have multiple ''Policy'' files. This is useful, for example, for specific firewall roles, such as FTP, HTTP, etc. You can create separated ''policies''  that can be enabled or disabled on the fly with the "awall [enable|disable]" command.
Some of the below features and examples assume you are running awall version 0.2.12 or later.<br>
Make sure you are running the latest version by running the following commands:
{{cmd|apk update
apk add iptables
apk add -u awall
apk version awall}}
{{Note|Older versions of Alpine may require the ip6tables package too.}}


==Prerequisites==
== Structure ==
Your [[Alpine Wall]] configuration files go in {{Path|/etc/awall/optional}}<br>
Each such file is called a ''Policy''.<br>
{{note| awall versions prior 0.2.12 will only look for ''Policy'' files in {{Path|/usr/share/awall/optional}}.<br>From version 0.2.12 and higher, awall will look for ''Policy'' files in both {{Path|/etc/awall/optional}} and {{Path|/usr/share/awall/optional}}}}
You may have multiple ''Policy'' files ''(it is useful to have separate files for eg. HTTP, FTP, etc.)''.<br>
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|awall's ''Policy'' files are not equivalent to Shorewall's {{Path|/etc/shorewall/policy}} files.}}
An awall ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* interfaces ''(like {{Path|/etc/shorewall/interfaces}})''
* policies ''(like {{Path|/etc/shorewall/policy}})''
* filters and NAT rules ''(like {{Path|/etc/shorewall/rules}})''
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''


After installing awall package, if this is the first time that you configure iptables on your machine, you need to load the following iptables modules:
== Prerequisites ==
After installing awall, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat    #if NAT is used}}


  # modprobe iptables
This is needed only one time after awall installation.
  # modprobe iptable_nat    #if NAT is used


Make the firewall to autostart at boot and autoload the needed modules:
To make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables
rc-update add ip6tables}}


  # rc-update add iptables
= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.


==A Basic Home Firewall==
== Example firewall using Shorewall ==
In this case you just have a "local" zone and an "internet" zone, and the Alpine router firewall you from internet.
Let's suppose you have the following Shorewall configuration:


Open a blank file from /usr/share/awall/optional and start with a description of your ''Policy'' (useful when you have multiple policies) and the define the zones:
{{cat|/etc/shorewall/zones|
inet  ipv4
loc  ipv4}}


  {
{{cat|/etc/shorewall/interfaces|
    "description": "Home firewall"
inet  eth0
loc  eth1}}


    "zone": {
{{cat|/etc/shorewall/policy|
      "inet": { "iface": "eth0" },
fw  all  ACCEPT
      "loc": { "iface": "eth1" }
loc  inet ACCEPT
    }
all  all  DROP}}


AWall has a default zone built-in '''_fw''', that corresponds to the Shorewall "fw" zone, the firewall itself. Setup your default polices:
{{cat|/etc/shorewall/masq|
eth0  0.0.0.0/0}}


    "policy": [
== Example firewall using AWall ==
      { "out": "_fw", "action": "accept" },
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.
      { "in": "loc", "out": "inet", "action": "accept" }
 
    ]
Create a new file called {{Path|/etc/awall/optional/test-policy.json}} and add the following content to the file.<br>
{{Tip|You could call it something else as long as you save it in {{Path|/etc/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
{
  "description": "Home firewall",


Then you need to masquerade the outgoing traffic:
  "zone": {
    "inet": { "iface": "eth0" },
    "loc": { "iface": "eth1" }
  },


     "snat": [
  "policy": [
      { "out": "inet", "action": "masquerade" }
     { "in": "_fw", "action": "accept" },
    ]
    { "in": "loc", "out": "inet", "action": "accept" }
  }
  ],


'''snat''' here has to be intended as "source NAT" and not "static NAT". A static or dynamic NAT is done by means of the '''dnat''' rule (destination NAT).
  "snat": [
    { "out": "inet" }
  ]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}}
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}


After saving the ''Policy'', you can list it, enable/disable it and activate it (that is start the firewall):
=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list                 # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy    # Enables the 'Policy'
awall activate              # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}


  # awall list
If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.
  myfirewall  enabled  Home firewall
  # awall activate
  Warning: inet6 rules not tested
  New firewall configuration activated
  Press RETURN to commit changes permanently:


If I want to log all dropped packets from "inet", I can add the following policy:
= Advanced Firewall settings =
Assuming you have your {{Path|/etc/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples}}


  { "in": "inet", "out": "loc", "action": "logdrop" }
== Logging ==
AWall will ''(since v0.2.7)'' automatically log dropped packets.<br>
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}


==Port-Forwarding==
== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". AWall already has a "service" definition list for several services (in /usr/share/awall/mandatory/services.json), like HTTP, FTP, SNMP, etc. So, in order to port-forward the HTTP port to your "loc" zone, you could add a "variables" block with your IP Addresses, and then a "filter" definition:
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".<br>
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
<pre>
#ACTION  SOURCE  DEST              PROTO  DEST    SOURCE    ORIGINAL
#                                          PORT(S) PORT(S)   DEST
DNAT    inet    loc:192.168.1.10  tcp    80
</pre>


   "variables": {
Lets configure our AWall ''Policy'' file likewise by adding the following content.
<pre>
   "variable": {
     "APACHE": "192.168.1.10",
     "APACHE": "192.168.1.10",
     "STATIC_IP": "1.2.3.4"
     "STATIC_IP": "1.2.3.4"
  }
    },


   "filter": [
   "filter": [
Line 73: Line 135:
       "dnat": "$APACHE"  
       "dnat": "$APACHE"  
       }
       }
   ]
    ]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}
 
If you need to forward to a different port (e.g. 8080) you can do:
 
<pre>
"dnat": [
   {"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 }
]
</pre>
 
== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": { 
  "openvpn": { "proto": "udp", "port": 1194 }
  }
</pre>
{{Note|You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}} }}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
 
== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>
 
== Specify load order ==
By default policies are loaded on alphabetical order.<BR>
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>
 
= Other =
== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall                # (With no parameters) Shows some basic help about awall application
awall dump            # Dump definitions like zones and variables
iptables -L -n        # Show what's in <code>iptables</code>}}
 
== See also ==
* [[Zero-To-Awall]]


You can add your own service definitions in your ''Policy'' files.
[[Category:Networking]]
[[Category:Security]]

Latest revision as of 15:05, 9 August 2024

General

Purpose of this doc is to illustrate Alpine Wall (awall) by example.
We will explain awall from the viewpoint of a Shorewall user.

awall is available since Alpine v2.4.
Please see Alpine Wall User's Guide for details about the syntax.

Some of the below features and examples assume you are running awall version 0.2.12 or later.
Make sure you are running the latest version by running the following commands:

apk update apk add iptables apk add -u awall apk version awall

Note: Older versions of Alpine may require the ip6tables package too.

Structure

Your Alpine Wall configuration files go in /etc/awall/optional
Each such file is called a Policy.

Note: awall versions prior 0.2.12 will only look for Policy files in /usr/share/awall/optional.
From version 0.2.12 and higher, awall will look for Policy files in both /etc/awall/optional and /usr/share/awall/optional

You may have multiple Policy files (it is useful to have separate files for eg. HTTP, FTP, etc.).
The Policy(s) can be enabled or disabled by using the "awall [enable|disable]" command.

Note: awall's Policy files are not equivalent to Shorewall's /etc/shorewall/policy files.

An awall Policy can contain definitions of:

  • variables (like /etc/shorewall/params)
  • zones (like /etc/shorewall/zones)
  • interfaces (like /etc/shorewall/interfaces)
  • policies (like /etc/shorewall/policy)
  • filters and NAT rules (like /etc/shorewall/rules)
  • services (like /usr/share/shorewall/macro.HTTP)

Prerequisites

After installing awall, you need to load the following iptables modules:

modprobe ip_tables modprobe iptable_nat #if NAT is used

This is needed only one time after awall installation.

To make the firewall autostart at boot and autoload the needed modules:

rc-update add iptables rc-update add ip6tables

A Basic Home Firewall

We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.

Example firewall using Shorewall

Let's suppose you have the following Shorewall configuration:

Contents of /etc/shorewall/zones

inet ipv4 loc ipv4

Contents of /etc/shorewall/interfaces

inet eth0 loc eth1

Contents of /etc/shorewall/policy

fw all ACCEPT loc inet ACCEPT all all DROP

Contents of /etc/shorewall/masq

eth0 0.0.0.0/0

Example firewall using AWall

Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called /etc/awall/optional/test-policy.json and add the following content to the file.

Tip: You could call it something else as long as you save it in /etc/awall/optional/ and name it ???.json)
{
  "description": "Home firewall",

  "zone": {
    "inet": { "iface": "eth0" },
    "loc": { "iface": "eth1" }
  },

  "policy": [
    { "in": "_fw", "action": "accept" },
    { "in": "loc", "out": "inet", "action": "accept" }
  ],

  "snat": [
    { "out": "inet" }
  ]
}

The above configuration will:

  • Create a description of your Policy
  • Define zones
  • Define policy
  • Define snat (to masqurade the outgoing traffic)
Note: snat means "source NAT". It does not mean "static NAT".
Tip: AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.

Activating/Applying a Policy

After saving the Policy you can run the following commands to activate your firewall settings:

awall list # Listing available 'Policy(s)' (This step is optional) awall enable test-policy # Enables the 'Policy' awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)

If you have multiple policies, after enabling or disabling them, you need to always run awall activate in order to update the iptables rules.

Advanced Firewall settings

Assuming you have your /etc/awall/optional/test-policy.json with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.

Tip: You could create new files in /etc/awall/optional/ for testing some of the below examples

Logging

AWall will (since v0.2.7) automatically log dropped packets.
You could add the following row to the "policy" section in your Policy file in order to see the dropped packets.

{ "in": "inet", "out": "loc", "action": "drop" }
Note: If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!

Port-Forwarding

Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".
With Shorewall you would have a rule like this in your /etc/shorewall/rules:

#ACTION  SOURCE  DEST               PROTO  DEST    SOURCE    ORIGINAL
#                                          PORT(S) PORT(S)   DEST
DNAT     inet     loc:192.168.1.10  tcp    80

Lets configure our AWall Policy file likewise by adding the following content.

  "variable": {
    "APACHE": "192.168.1.10",
    "STATIC_IP": "1.2.3.4"
    },

  "filter": [
    { "in": "inet", 
      "dest": "$STATIC_IP", 
      "service": "http", 
      "action": "accept", 
      "dnat": "$APACHE" 
      }
    ]

As you can see in the above example, we create a

  • "variable" section where we specify some IP-addresses
  • "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!
Tip: AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. (see /usr/share/awall/mandatory/services.json)

If you need to forward to a different port (e.g. 8080) you can do:

"dnat": [
  {"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 }
]

Create your own service definitions

You can add your own service definitions into your Policy files:

"service": {  
  "openvpn": { "proto": "udp", "port": 1194 }
  }
Note: You can not override a "service" definition that comes from /usr/share/awall/mandatory/services.json
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!

Inherit services or variables

You can import a Policy into other Policy files for inheriting services or variables definitions:

"import": "myfirewall"

Specify load order

By default policies are loaded on alphabetical order.
You can change the load order with the keywords "before" and "after":

"before": "myfirewall"
"after": "someotherpolicy"

Other

Help and debugging

If you end up in some kind of trouble, you might find some commands useful when debugging:

awall # (With no parameters) Shows some basic help about awall application awall dump # Dump definitions like zones and variables iptables -L -n # Show what's in iptables

See also