How-To Alpine Wall: Difference between revisions

From Alpine Linux
(→‎Example firewall using AWall: Fixed missing comma)
(Updating path for Policy files suggesting users to save their Policy files in /etc/awall/optional so we can skip the 'lbu inc && lbu ci' part in this doc (making it simpler to understand).)
Line 2: Line 2:


= General =
= General =
Purpose of this doc is to illustrate Alpine Wall (AWall) by examples.<BR>
Purpose of this doc is to illustrate Alpine Wall ({{pkg|AWall}}) by examples.<BR>
We will explain AWall from the viewpoint of a Shorewall user.<BR>
We will explain {{pkg|AWall}} from the viewpoint of a Shorewall user.<BR>


AWall is available since Alpine v2.4.<BR>
{{pkg|AWall}} is available since Alpine v2.4.<BR>
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.  
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.
 
Some of the below features and examples assumes that you are running {{pkg|AWall}} version 0.2.12 or later.<BR>
Make sure you are running latest version by running the following commands:
{{cmd|apk update
apk add -u awall
apk version awall}}


== Structure ==
== Structure ==
Your AWall firewall configuration file(s) goes to {{Path|/usr/share/awall/optional}}.<BR>
Your {{pkg|AWall}} firewall configuration file(s) goes to {{Path|/etc/awall/optional}}<BR>
You may have multiple configuration files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''.<BR>
Each such file is called ''Policy''.<BR>
Each such file is called ''Policy''.<BR>
{{note| {{pkg|AWall}} versions prior 0.2.12 will only look for ''Policy'' files in {{Path|/usr/share/awall/optional}}.<BR>From version 0.2.12 and higher, {{pkg|AWall}} will look for ''Policy'' files in both {{Path|/etc/awall/optional}} and {{Path|/usr/share/awall/optional}}}}
You may have multiple ''Policy'' files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''.<BR>
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|AWalls ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}
{{note|{{pkg|AWall}}'s ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}
 
An {{pkg|AWall}} ''Policy'' can contain definitions of:
An AWall ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
Line 24: Line 30:


== Prerequisites ==
== Prerequisites ==
After installing awall package, you need to load the following iptables modules:
After installing {{pkg|AWall}}, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
{{cmd|modprobe ip_tables
modprobe iptable_nat    #if NAT is used}}
modprobe iptable_nat    #if NAT is used}}


This is needed only the first time, after AWall installation.
This is needed only the first time, after {{pkg|AWall}} installation.


Make the firewall autostart at boot and autoload the needed modules:
Make the firewall autostart at boot and autoload the needed modules:
Line 34: Line 40:


= A Basic Home Firewall =
= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.
We will give a example on how you can convert a "Basic home firewall" from Shorewall to {{pkg|AWall}}.


== Example firewall using Shorewall ==
== Example firewall using Shorewall ==
Line 64: Line 70:


== Example firewall using AWall ==
== Example firewall using AWall ==
Now we will configure AWall to do the same thing as we just did with the above Shorewall example.
Now we will configure {{pkg|AWall}} to do the same thing as we just did with the above Shorewall example.


Create a new file called {{Path|/usr/share/awall/optional/test-policy.json}} and add the following content to the file.<BR>
Create a new file called {{Path|/etc/awall/optional/test-policy.json}} and add the following content to the file.<BR>
{{Tip|You could call it something else as long as you save it in {{Path|/usr/share/awall/optional/}} and name it {{Path|???'''.json'''}})}}
{{Tip|You could call it something else as long as you save it in {{Path|/etc/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
<pre>
{
{
Line 93: Line 99:
* Define ''snat'' ''(to masqurade the outgoing traffic)''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}}
{{Note|''snat'' means "source NAT". It does <u>not</u> mean "static NAT".}}
{{Tip| AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}
{{Tip| {{pkg|AWall}} has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}


=== Activating/Applying a Policy ===
=== Activating/Applying a Policy ===
Line 104: Line 110:


= Advanced Firewall settings =
= Advanced Firewall settings =
Assuming you have your {{Path|/usr/share/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
Assuming you have your {{Path|/etc/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in {{Path|/usr/share/awall/optional/}} for testing some of the below examples}}
{{tip|You could create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples}}


== Logging ==
== Logging ==
AWall will ''(since v0.2.7)'' automatically log dropped packets.<BR>
{{pkg|AWall}} will ''(since v0.2.7)'' automatically log dropped packets.<BR>
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
{{Note|If you are using Alpine 2.4 repository ({{pkg|AWall}} v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}


Line 123: Line 129:
</pre>
</pre>


Lets configure our AWall ''Policy'' file likewise by adding the following content.
Lets configure our {{pkg|AWall}} ''Policy'' file likewise by adding the following content.
<pre>
<pre>
   "variable": {
   "variable": {
Line 143: Line 149:
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}
{{Tip|{{pkg|AWall}} already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}


== Create your own service definitions ==
== Create your own service definitions ==
Line 170: Line 176:


= Other =
= Other =
== Permanently save config ==
If you are running from read-only medium (from CD, USB or CF) you will need to make sure your ''Policy'' files gets permanently saved until next reboot.
{{cmd|lbu inc <var>/usr/share/awall/optional/</var>  # This tells lbu to include that path when creating a new apkovl
lbu ci                              # This creates the new apkovl}}
== Help and debugging ==
== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
If you end up in some kind of trouble, you might find some commands useful when debugging:

Revision as of 16:06, 29 October 2012

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Mhavela on 29 Oct 2012.)

General

Purpose of this doc is to illustrate Alpine Wall (AWall) by examples.
We will explain AWall from the viewpoint of a Shorewall user.

AWall is available since Alpine v2.4.
Please see Alpine_Wall_User's_Guide for details about the syntax.

Some of the below features and examples assumes that you are running AWall version 0.2.12 or later.
Make sure you are running latest version by running the following commands:

apk update apk add -u awall apk version awall

Structure

Your AWall firewall configuration file(s) goes to /etc/awall/optional
Each such file is called Policy.

Note: AWall versions prior 0.2.12 will only look for Policy files in /usr/share/awall/optional.
From version 0.2.12 and higher, AWall will look for Policy files in both /etc/awall/optional and /usr/share/awall/optional

You may have multiple Policy files (it is useful to have separate files for eg. HTTP,FTP and other roles).
The Policy(s) can be enabled or disabled by using the "awall [enable|disable]" command.

Note: AWall's Policy files are not equivalent to Shorewalls /etc/shorewall/policy file.

An AWall Policy can contain definitions of:

  • variables (like /etc/shorewall/params)
  • zones (like /etc/shorewall/zones)
  • interfaces (like /etc/shorewall/interfaces)
  • policies (like /etc/shorewall/policy)
  • filters and NAT rules (like /etc/shorewall/rules)
  • services (like /usr/share/shorewall/macro.HTTP)

Prerequisites

After installing AWall, you need to load the following iptables modules:

modprobe ip_tables modprobe iptable_nat #if NAT is used

This is needed only the first time, after AWall installation.

Make the firewall autostart at boot and autoload the needed modules:

rc-update add iptables

A Basic Home Firewall

We will give a example on how you can convert a "Basic home firewall" from Shorewall to AWall.

Example firewall using Shorewall

Let's suppose you have the following Shorewall configuration:

/etc/shorewall/zones

inet  ipv4
loc   ipv4

/etc/shorewall/interfaces

inet  eth0
loc   eth1

/etc/shorewall/policy

fw   all  ACCEPT
loc  inet ACCEPT
all  all  DROP

/etc/shorewall/masq

eth0  0.0.0.0/0

Example firewall using AWall

Now we will configure AWall to do the same thing as we just did with the above Shorewall example.

Create a new file called /etc/awall/optional/test-policy.json and add the following content to the file.

Tip: You could call it something else as long as you save it in /etc/awall/optional/ and name it ???.json)
{
  "description": "Home firewall",

  "zone": {
    "inet": { "iface": "eth0" },
    "loc": { "iface": "eth1" }
  },

  "policy": [
    { "in": "_fw", "action": "accept" },
    { "in": "loc", "out": "inet", "action": "accept" }
  ],

  "snat": [
    { "out": "inet" }
  ]
}

The above configuration will:

  • Create a description of your Policy
  • Define zones
  • Define policy
  • Define snat (to masqurade the outgoing traffic)
Note: snat means "source NAT". It does not mean "static NAT".
Tip: AWall has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.

Activating/Applying a Policy

After saving the Policy you can run the following commands to activate your firewall settings:

awall list # Listing available 'Policy(s)' (This step is optional) awall enable test-policy # Enables the 'Policy' awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)

If you have multiple policies, after enabling or disabling them, you need to always run awall activate in order to update the iptables rules.

Advanced Firewall settings

Assuming you have your /etc/awall/optional/test-policy.json with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.

Tip: You could create new files in /etc/awall/optional/ for testing some of the below examples

Logging

AWall will (since v0.2.7) automatically log dropped packets.
You could add the following row to the "policy" section in your Policy file in order to see the dropped packets.

{ "in": "inet", "out": "loc", "action": "drop" }
Note: If you are using Alpine 2.4 repository (AWall v0.2.5 or below), you should use "action": "logdrop" in order to log dropped packets .
Note: If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!

Port-Forwarding

Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".
With Shorewall you would have a rule like this in your /etc/shorewall/rules:

#ACTION  SOURCE  DEST               PROTO  DEST    SOURCE    ORIGINAL
#                                          PORT(S) PORT(S)   DEST
DNAT     inet     loc:192.168.1.10  tcp    80

Lets configure our AWall Policy file likewise by adding the following content.

  "variable": {
    "APACHE": "192.168.1.10",
    "STATIC_IP": "1.2.3.4"
    },

  "filter": [
    { "in": "inet", 
      "dest": "$STATIC_IP", 
      "service": "http", 
      "action": "accept", 
      "dnat": "$APACHE" 
      }
    ]

As you can see in the above example, we create a

  • "variable" section where we specify some IP-addresses
  • "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!
Tip: AWall already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. (see /usr/share/awall/mandatory/services.json)

Create your own service definitions

You can add your own service definitions into your Policy files:

"service": {  
  "openvpn": { "proto": "udp", "port": 1194 }
  }
Note: You can not override a "service" definition that comes from /usr/share/awall/mandatory/services.json
Note: If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!

Inherit services or variables

You can import a Policy into other Policy files for inheriting services or variables definitions:

"import": "myfirewall"

Specify load order

By default policies are loaded on alphabetical order.
You can change the load order with the keywords "before" and "after":

"before": "myfirewall"
"after": "someotherpolicy"

Other

Help and debugging

If you end up in some kind of trouble, you might find some commands useful when debugging:

awall # (With no parameters) Shows some basic help about awall application iptables -L -n # Show what's in iptables