How-To Alpine Wall: Difference between revisions
(Updating path for Policy files suggesting users to save their Policy files in /etc/awall/optional so we can skip the 'lbu inc && lbu ci' part in this doc (making it simpler to understand).) |
Prabuanand (talk | contribs) (→Structure: fixed the dangling }}) |
||
| (11 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
= General = | = General = | ||
Purpose of this doc is to illustrate Alpine Wall ({{pkg| | Purpose of this doc is to illustrate Alpine Wall ({{pkg|awall}}) by example.<br> | ||
We will explain {{pkg| | We will explain {{pkg|awall}} from the viewpoint of a Shorewall user.<br> | ||
awall is available since Alpine v2.4.<br> | |||
Please see [ | Please see [https://git.alpinelinux.org/awall/about/ Alpine Wall User's Guide] for details about the syntax. | ||
Some of the below features and examples | Some of the below features and examples assume you are running awall version 0.2.12 or later.<br> | ||
Make sure you are running latest version by running the following commands: | Make sure you are running the latest version by running the following commands: | ||
{{cmd|apk update | {{cmd|apk update | ||
apk add iptables | |||
apk add -u awall | apk add -u awall | ||
apk version awall}} | apk version awall}} | ||
{{Note|Older versions of Alpine may require the ip6tables package too.}} | |||
== Structure == | == Structure == | ||
Your | Your [[Alpine Wall]] configuration files go in {{Path|/etc/awall/optional}}<br> | ||
Each such file is called ''Policy''.< | Each such file is called a ''Policy''.<br> | ||
{{note| | {{note| awall versions prior 0.2.12 will only look for ''Policy'' files in {{Path|/usr/share/awall/optional}}.<br>From version 0.2.12 and higher, awall will look for ''Policy'' files in both {{Path|/etc/awall/optional}} and {{Path|/usr/share/awall/optional}}}} | ||
You may have multiple ''Policy'' files ''(it is useful to have separate files for eg. HTTP,FTP | You may have multiple ''Policy'' files ''(it is useful to have separate files for eg. HTTP, FTP, etc.)''.<br> | ||
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command. | The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command. | ||
{{note| | {{note|awall's ''Policy'' files are not equivalent to Shorewall's {{Path|/etc/shorewall/policy}} files.}} | ||
An | An awall ''Policy'' can contain definitions of: | ||
* variables ''(like {{Path|/etc/shorewall/params}})'' | * variables ''(like {{Path|/etc/shorewall/params}})'' | ||
* zones ''(like {{Path|/etc/shorewall/zones}})'' | * zones ''(like {{Path|/etc/shorewall/zones}})'' | ||
| Line 30: | Line 30: | ||
== Prerequisites == | == Prerequisites == | ||
After installing | After installing awall, you need to load the following iptables modules: | ||
{{cmd|modprobe ip_tables | {{cmd|modprobe ip_tables | ||
modprobe iptable_nat #if NAT is used}} | modprobe iptable_nat #if NAT is used}} | ||
This is needed only | This is needed only one time after awall installation. | ||
To make the firewall autostart at boot and autoload the needed modules: | |||
{{cmd|rc-update add iptables}} | {{cmd|rc-update add iptables | ||
rc-update add ip6tables}} | |||
= A Basic Home Firewall = | = A Basic Home Firewall = | ||
We will give a example on how you can convert a "Basic home firewall" from Shorewall to | We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall. | ||
== Example firewall using Shorewall == | == Example firewall using Shorewall == | ||
Let's suppose you have the following Shorewall configuration: | Let's suppose you have the following Shorewall configuration: | ||
{{cat|/etc/shorewall/zones| | |||
inet ipv4 | inet ipv4 | ||
loc ipv4 | loc ipv4}} | ||
{{cat|/etc/shorewall/interfaces| | |||
inet eth0 | inet eth0 | ||
loc eth1 | loc eth1}} | ||
{{cat|/etc/shorewall/policy| | |||
fw all ACCEPT | fw all ACCEPT | ||
loc inet ACCEPT | loc inet ACCEPT | ||
all all DROP | all all DROP}} | ||
{{cat|/etc/shorewall/masq| | |||
eth0 0.0.0.0/0}} | |||
eth0 0.0.0.0/0 | |||
== Example firewall using AWall == | == Example firewall using AWall == | ||
Now we will configure | Now we will configure AWall to do the same thing as we just did with the above Shorewall example. | ||
Create a new file called {{Path|/etc/awall/optional/test-policy.json}} and add the following content to the file.< | Create a new file called {{Path|/etc/awall/optional/test-policy.json}} and add the following content to the file.<br> | ||
{{Tip|You could call it something else as long as you save it in {{Path|/etc/awall/optional/}} and name it {{Path|???'''.json'''}})}} | {{Tip|You could call it something else as long as you save it in {{Path|/etc/awall/optional/}} and name it {{Path|???'''.json'''}})}} | ||
<pre> | <pre> | ||
| Line 99: | Line 92: | ||
* Define ''snat'' ''(to masqurade the outgoing traffic)'' | * Define ''snat'' ''(to masqurade the outgoing traffic)'' | ||
{{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}} | {{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}} | ||
{{Tip | {{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}} | ||
=== Activating/Applying a Policy === | === Activating/Applying a Policy === | ||
| Line 114: | Line 107: | ||
== Logging == | == Logging == | ||
AWall will ''(since v0.2.7)'' automatically log dropped packets.<br> | |||
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets. | You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets. | ||
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre> | <pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre> | ||
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}} | {{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}} | ||
== Port-Forwarding == | == Port-Forwarding == | ||
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".< | Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".<br> | ||
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}: | With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}: | ||
<pre> | <pre> | ||
| Line 129: | Line 121: | ||
</pre> | </pre> | ||
Lets configure our | Lets configure our AWall ''Policy'' file likewise by adding the following content. | ||
<pre> | <pre> | ||
"variable": { | "variable": { | ||
| Line 149: | Line 141: | ||
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions) | * "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions) | ||
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}} | {{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}} | ||
{{Tip | {{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}} | ||
If you need to forward to a different port (e.g. 8080) you can do: | |||
<pre> | |||
"dnat": [ | |||
{"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 } | |||
] | |||
</pre> | |||
== Create your own service definitions == | == Create your own service definitions == | ||
| Line 179: | Line 179: | ||
If you end up in some kind of trouble, you might find some commands useful when debugging: | If you end up in some kind of trouble, you might find some commands useful when debugging: | ||
{{cmd|awall # (With no parameters) Shows some basic help about awall application | {{cmd|awall # (With no parameters) Shows some basic help about awall application | ||
awall dump # Dump definitions like zones and variables | |||
iptables -L -n # Show what's in <code>iptables</code>}} | iptables -L -n # Show what's in <code>iptables</code>}} | ||
== See also == | |||
* [[Zero-To-Awall]] | |||
[[Category:Networking]] | [[Category:Networking]] | ||
[[Category:Security]] | [[Category:Security]] | ||
Latest revision as of 15:05, 9 August 2024
General
Purpose of this doc is to illustrate Alpine Wall (awall) by example.
We will explain awall from the viewpoint of a Shorewall user.
awall is available since Alpine v2.4.
Please see Alpine Wall User's Guide for details about the syntax.
Some of the below features and examples assume you are running awall version 0.2.12 or later.
Make sure you are running the latest version by running the following commands:
apk update apk add iptables apk add -u awall apk version awall
Structure
Your Alpine Wall configuration files go in /etc/awall/optional
Each such file is called a Policy.
From version 0.2.12 and higher, awall will look for Policy files in both /etc/awall/optional and /usr/share/awall/optional
You may have multiple Policy files (it is useful to have separate files for eg. HTTP, FTP, etc.).
The Policy(s) can be enabled or disabled by using the "awall [enable|disable]" command.
An awall Policy can contain definitions of:
- variables (like /etc/shorewall/params)
- zones (like /etc/shorewall/zones)
- interfaces (like /etc/shorewall/interfaces)
- policies (like /etc/shorewall/policy)
- filters and NAT rules (like /etc/shorewall/rules)
- services (like /usr/share/shorewall/macro.HTTP)
Prerequisites
After installing awall, you need to load the following iptables modules:
modprobe ip_tables modprobe iptable_nat #if NAT is used
This is needed only one time after awall installation.
To make the firewall autostart at boot and autoload the needed modules:
rc-update add iptables rc-update add ip6tables
A Basic Home Firewall
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.
Example firewall using Shorewall
Let's suppose you have the following Shorewall configuration:
Contents of /etc/shorewall/zones
Contents of /etc/shorewall/interfaces
Contents of /etc/shorewall/policy
Contents of /etc/shorewall/masq
Example firewall using AWall
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.
Create a new file called /etc/awall/optional/test-policy.json and add the following content to the file.
{
"description": "Home firewall",
"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},
"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],
"snat": [
{ "out": "inet" }
]
}
The above configuration will:
- Create a description of your Policy
- Define zones
- Define policy
- Define snat (to masqurade the outgoing traffic)
Activating/Applying a Policy
After saving the Policy you can run the following commands to activate your firewall settings:
awall list # Listing available 'Policy(s)' (This step is optional) awall enable test-policy # Enables the 'Policy' awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)
If you have multiple policies, after enabling or disabling them, you need to always run awall activate in order to update the iptables rules.
Advanced Firewall settings
Assuming you have your /etc/awall/optional/test-policy.json with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
Logging
AWall will (since v0.2.7) automatically log dropped packets.
You could add the following row to the "policy" section in your Policy file in order to see the dropped packets.
{ "in": "inet", "out": "loc", "action": "drop" }
Port-Forwarding
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".
With Shorewall you would have a rule like this in your /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT(S) PORT(S) DEST DNAT inet loc:192.168.1.10 tcp 80
Lets configure our AWall Policy file likewise by adding the following content.
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},
"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
As you can see in the above example, we create a
- "variable" section where we specify some IP-addresses
- "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
If you need to forward to a different port (e.g. 8080) you can do:
"dnat": [
{"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 }
]
Create your own service definitions
You can add your own service definitions into your Policy files:
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
Inherit services or variables
You can import a Policy into other Policy files for inheriting services or variables definitions:
"import": "myfirewall"
Specify load order
By default policies are loaded on alphabetical order.
You can change the load order with the keywords "before" and "after":
"before": "myfirewall" "after": "someotherpolicy"
Other
Help and debugging
If you end up in some kind of trouble, you might find some commands useful when debugging:
awall # (With no parameters) Shows some basic help about awall application
awall dump # Dump definitions like zones and variables
iptables -L -n # Show what's in iptables