How-To Alpine Wall

From Alpine Linux
Revision as of 11:52, 11 October 2012 by Larena (talk | contribs) (new logging feature)
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Larena on 11 Oct 2012.)

Purpose of this doc is to illustrate Alpine Wall (AWall) by examples. Please see Alpine_Wall_User's_Guide for details about the syntax. We will explain AWall from the viewpoint of a Shorewall user. AWall is available since Alpine v2.4.

Your firewall configuration goes to /usr/share/awall/optional. Each file is called Policy. Policy files are not equivalent to /etc/shorewall/policy file. An AWall Policy contains definitions of variables (like /etc/shorewall/params), zones (like /etc/shorewall/zones), interfaces (like /etc/shorewall/interfaces), policies (like /etc/shorewall/policy), filters and NAT rules (like /etc/shorewall/rules). You may have multiple Policy files. This is useful, for example, for specific firewall roles, such as FTP, HTTP, etc. You can create separated policies that can be enabled or disabled on the fly with the "awall [enable|disable]" command.

Prerequisites

After installing awall package, if this is the first time that you configure iptables on your machine, you need to load the following iptables modules:

 # modprobe ip_tables
 # modprobe iptable_nat    #if NAT is used

Make the firewall to autostart at boot and autoload the needed modules:

 # rc-update add iptables

A Basic Home Firewall

In this case you just have a "local" zone and an "internet" zone, and the Alpine router firewall you from internet.

Let's suppose you have the following Shorewall configuration:

/etc/shorewall/zones:

 inet  ipv4
 loc   ipv4

/etc/shorewall/interfaces:

 inet  eth0
 loc   eth1

/etc/shorewall/policy:

 fw   all  ACCEPT
 loc  inet ACCEPT
 all  all  DROP

/etc/shorewall/masq:

 eth0  0.0.0.0/0

You can convert this configuration to AWall doing the following:

Open a blank file from /usr/share/awall/optional and start with a description of your Policy (useful when you have multiple policies) and the define the zones:

 {
   "description": "Home firewall"
   "zone": {
     "inet": { "iface": "eth0" },
     "loc": { "iface": "eth1" }
   },

AWall has a default zone built-in _fw, that corresponds to the Shorewall "fw" zone, the firewall itself. Setup your default polices:

   "policy": [
     { "in": "_fw", "action": "accept" },
     { "in": "loc", "out": "inet", "action": "accept" }
   ],

Then you need to masquerade the outgoing traffic:

   "snat": [
     { "out": "inet", "action": "masquerade" }
   ]
 }

snat here has to be intended as "source NAT" and not "static NAT".

After saving the Policy, you can list it, enable/disable it and activate it (that is start the firewall):

 # awall list
 myfirewall  enabled   Home firewall
 # awall activate
 Warning: inet6 rules not tested
 New firewall configuration activated
 Press RETURN to commit changes permanently: 

If I want to log all dropped packets from "inet", I can add the following policy:

 { "in": "inet", "out": "loc", "action": "logdrop" }

Logging has changed since version 0.2.7, making deprecated the action "logdrop", and logging by default any rejected or dropped packet.

 { "in": "inet", "out": "loc", "action": "drop" }

Port-Forwarding

Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". With Shorewall you would have a rule like this:

 #ACTION  SOURCE  DEST               PROTO  DEST    SOURCE    ORIGINAL
 #                                          PORT(S) PORT(S)   DEST
 DNAT     inet     loc:192.168.1.10  tcp    80

AWall already has a "service" definition list for several services (in /usr/share/awall/mandatory/services.json), like HTTP, FTP, SNMP, etc. So, in order to port-forward the HTTP port to your "loc" zone, you could add a "variables" block with your IP Addresses, and then a "filter" definition:

 "variable": {
   "APACHE": "192.168.1.10",
   "STATIC_IP": "1.2.3.4"
 },
 "filter": [
   { "in": "inet", 
     "dest": "$STATIC_IP", 
     "service": "http", 
     "action": "accept", 
     "dnat": "$APACHE" 
     }
 ]

More Stuff

You can add your own service definitions into your Policy files:

 "service": {  
   "openvpn": { "proto": "udp", "port": 1194 }
 }

Or you can import a Policy into other Policy files, for inheriting services or variables definitions:

 "import": "myfirewall"

By default policies are loaded on alphabetical order. You can change the load order with the keywords "before" and "after":

 "before": "myfirewall"
 "after": "someotherpolicy"