How-To Alpine Wall
Alpine Wall User Guide is the official source for details about the syntax. The purpose of this page is to illustrate Alpine Wall (AWall) by example. This page explains AWall from the viewpoint of a Shorewall user.
Installation
Install the awall package and make sure you are running the latest version by running the following commands:
# apk add iptables awall $ apk version awall
Prerequisites
After installing AWall, you need to load the following iptables modules:
# modprobe ip_tables # modprobe iptable_nat #if NAT is used
This is needed only one time after awall installation.
To make the firewall autostart at boot and autoload the needed modules:
# rc-update add iptables # rc-update add ip6tables
Configuration files
Your Alpine Wall configuration files go in /etc/awall/optional. From version 0.2.12 and later, Awall will look for Policy files in both the former and /usr/share/awall/optional
Each such file is called a Policy.
You may have multiple Policy files. It is useful to have separate files for eg. HTTP, FTP, etc.
The Policy(s) can be enabled or disabled by using the command:
# awall [enable|disable]
An AWall Policy can contain definitions of:
- variables (like /etc/shorewall/params)
- zones (like /etc/shorewall/zones)
- interfaces (like /etc/shorewall/interfaces)
- policies (like /etc/shorewall/policy)
- filters and NAT rules (like /etc/shorewall/rules)
- services (like /usr/share/shorewall/macro.HTTP)
Basic home firewall
The below example shows the "Basic home firewall" configuration for both Shorewall and AWall. Based on below example, it can be clearly seen that AWall Policy files are not equivalent to Shorewall's /etc/shorewall/policy files.
Shorewall configuration
Let's suppose you have the following Shorewall configuration:
Contents of /etc/shorewall/zones
Contents of /etc/shorewall/interfaces
Contents of /etc/shorewall/policy
Contents of /etc/shorewall/masq
AWall configuration
The equivalent AWall configuration that does the same thing as the above Shorewall example is given below.
Create a new file called /etc/awall/optional/home-policy.json and add the following content
Contents of /etc/awall/optional/home-policy.json
The above configuration will:
- Create a description of your Policy
- Define zones
- Define policy
- Define snat (to masqurade the outgoing traffic)
snat means "source NAT". It does not mean "static NAT".
Activating/Applying a Policy
After saving the Policy you can run the following commands to activate your firewall settings:
awall list # Listing available 'Policy(s)' (This step is optional) awall enable test-policy # Enables the 'Policy' awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)
If you have multiple policies, after enabling or disabling them, you need to always run awall activate in order to update the iptables rules.
Advanced configuration
Assuming you have your /etc/awall/optional/home-policy.json with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
Logging
AWall will (since v0.2.7) automatically log dropped packets.
You could add the following row to the "policy" section in your Policy file in order to see the dropped packets.
{ "in": "inet", "out": "loc", "action": "drop" }
Port forwarding
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet".
With Shorewall you would have a rule like this in your /etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT(S) PORT(S) DEST DNAT inet loc:192.168.1.10 tcp 80
Lets configure our AWall Policy file likewise by adding the following content.
"variable": { "APACHE": "192.168.1.10", "STATIC_IP": "1.2.3.4" }, "filter": [ { "in": "inet", "dest": "$STATIC_IP", "service": "http", "action": "accept", "dnat": "$APACHE" } ]
As you can see in the above example, we create a
- "variable" section where we specify some IP-addresses
- "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
If you need to forward to a different port (e.g. 8080) you can do:
"dnat": [ {"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 } ]
Create your own service definitions
You can add your own service definitions into your Policy files:
"service": { "openvpn": { "proto": "udp", "port": 1194 } }
Inherit services or variables
You can import a Policy into other Policy files for inheriting services or variables definitions:
"import": "myfirewall"
Customize policy loading order
By default policies are loaded on alphabetical order. The load order can be changed with the keywords "before" and "after":
"before": "myfirewall" "after": "someotherpolicy"
Troubleshooting
If you end up in some kind of trouble, you might find some commands useful when debugging:
awall # (With no parameters) Shows some basic help about awall application
awall dump # Dump definitions like zones and variables
iptables -L -n # Show what's in iptables