Skip to content

Awall

Is a simplewall Software for Alpine Linux, powered by JSON (policy file)

Setup

  1. Install bash apk add ip6tables iptables apk add -u awall
  2. First time setup bash modprobe -v ip_tables # IPv4 modprobe -v ip6_tables # if IPv6 is used modprobe -v iptable_nat # if NAT is used aka router rc-update add iptables rc-update add ip6tables
  3. Setup rules
    • Awall is a front-end for iptables
    • Default are in /usr/share/awall/mandatory/*
    • Custom are in /etc/awall/
    • See example below ```
  4. Awall management
    • awall list
    • awall enable X to enable a policy
    • awall activate
  5. iptable management
    • /etc/iptables/ view rules
    • iptables -S to view
    • rc-service iptables {start|stop|restart|status}
    • rc-service ip6tables {start|stop|restart|status}

Rules

Some examples below - from this tutorial or this blog

Add the following in /etc/awall/optional/

default.json

{
  "description": "default deny all",
  "zone": {
    "WAN": { "iface": ["eth0"] }
  },
  "policy": [{ "in": "WAN", "action": "drop" }, { "action": "reject" }]
}
  • We define the WAN zone and apply a policy

ssh.json

{
  "description": "allow ssh",
  "filter": [
    {
      "in": "WAN",
      "out": "_fw",
      "service": "ssh",
      "action": "accept"
    }
  ]
}
  • _fw is the built-in zone
  • "ssh" can be replace with [{ "proto": "udp", "port": 1234 }]

ping.json

{
  "description": "allow ping",
  "filter": [
    {
      "in": "WAN",
      "service": "ping",
      "action": "accept"
    }
  ]
}

Services

  • Built-in services in /usr/share/awall/mandatory/services.json
  • Services are defined in /etc/awall/private/custom-services.json
{ 
    "service": {
        "wireguard": [{ "proto": "udp", "port": 1234 }]
    }
}