How To Set Up a Firewall with Awall on Alpine Linux

Awall is a user-friendly and intuitive interface to the iptables firewall for Alpine Linux, which uses a set of predefined policies written in JSON format. These JSON files are referred to as policy files and are found in the /usr/share/awall/mandatory directory.

Common practice requires you to store your custom firewall rules in the /etc/awall/optional directory. These are optional policies and are enabled on a need basis as we shall demonstrate later in this guide.

In this guide, we will demonstrate how you can set up an Awall firewall on Alpine Linux.

Step 1: Update Alpine Linux Package Lists

It’s always a good idea to refresh local repositories before installing new software packages. Therefore, refresh the local package index using the following apk command as shown.

$ apk update
Update Alpine Linux
Update Alpine Linux

Step 2: Install Iptables in Alpine Linux

The next step is to install Iptables for both IPv4 and IPv6 protocols as follows.

# apk add ip6tables iptables
Install Iptables in Alpine Linux
Install Iptables in Alpine Linux

Step 3: Install Awall on Alpine Linux

With iptables in place, proceed and install the Awall firewall as follows.

# apk add -u awall
Install Awall Firewall in Alpine Linux
Install Awall Firewall in Alpine Linux

To confirm Awall is installed, run the command:

# apk info awall
Check Awall Firewall in Alpine Linux
Check Awall Firewall in Alpine Linux

As we have mentioned earlier, Awall ships with a predefined set of Firewall policies in JSON format in the /usr/share/awall/mandatory directory. You can list the policies as follow.

$ ls -l /usr/share/awall/mandatory
List Awall Policies in Alpine Linux
List Awall Policies in Alpine Linux

However, according to best practices, custom policies should be placed in the /etc/awall directory.

Step 4: Load Kernel Modules and Start Iptables

Next, ensure that the iptables kernel modules are loaded using the following command.

# modprobe -v ip_tables 
# modprobe -v ip6_tables 
Load Kernel Modules
Load Kernel Modules

With the kernel modules loaded, enable iptables to start on boot as shown.

# rc-update add iptables
# rc-update add ip6tables
Enable Iptables
Enable Iptables

Step 5: Create Firewall Policies Using Awall

Next, we are going to create a few firewall policies and place them in the /etc/awall/optional/ directory.

First, on the list, we will create a rule called server.json that drops all the incoming & outgoing connections.

# cat /etc/awall/optional/server.json

Paste the following lines of code.

{
  "description": "An awall policy that drops all incoming and outgoing traffic",

  "variable": { "internet_if": "eth0" },

  "zone": {
    "internet": { "iface": "$internet_if" }
  },

  "policy": [
    { "in": "internet", "action": "drop" },
    { "action": "reject" }
  ]

}

Save and exit. Next, we will create a policy that allows incoming SSH connections on port 22 with a maximum login limit of 3 attempts to thwart brute force attacks.

{

    "description": "Allow incoming SSH access (TCP/22)",

    "filter": [
        {
            "in": "internet",
            "out": "_fw",
            "service": "ssh",
            "action": "accept",
            "src": "0.0.0.0/0",
            "conn-limit": { "count": 3, "interval": 60 }
        }
    ]
}

Save and exit the file.

Next, we will define a firewall policy that allows ICMP ping requests.

{

    "description": "Allow ping-pong",

    "filter": [
        {
              "in": "internet",
              "service": "ping",
              "action": "accept",
              "flow-limit": { "count": 10, "interval": 6 }
        }
    ]
}

If you have a web server in place, consider defining a rule for opening the HTTP and HTTPS ports.

{
    "description": "Allow incoming Apache (TCP 80 & 443) ports",
    "filter": [
        {
            "in": "internet",
            "out": "_fw",
            "service": [ "http", "https"],
            "action": "accept"
        }
    ]
}

Lastly, we are going to allow outgoing connections for some of the most commonly used protocols such as HTTP, HTTPS, DNS, SSH, NTP, and ICMP ping.

{

    "description": "Allow outgoing connections for http/https, dns, ssh, ntp, ssh and ping",

    "filter": [
        {
            "in": "_fw",
            "out": "internet",
            "service": [ "http", "https", "dns", "ssh", "ntp", "ping" ],
            "action": "accept"
        }
    ]
}

Save the changes and exit.

To list all the firewall policies in place, run the command:

# awall list
List Awall Firewall Policies
List Awall Firewall Policies

Step 6: Enable Firewall Policies and Activate Awall

To activate the firewall policies, run the following commands:

# awall enable server
# awall enable ssh
# awall enable ping
# awall enable  outgoing
# awall enable webserver

Finally, to activate the Awall firewall, run the command:

# awall activate
Active Awall Firewall
Active Awall Firewall

Step 7: Disabling a Firewall Policy

Suppose you want to disable a firewall policy that you no longer want. To do this, use the following syntax:

# awall disable policy-name

For example, to disable the ping policy, run the command:

# awall disable ping

To persist the changes, run the command:

# awall activate

Step 8: Disabling Awall and Iptables Firewall

If you do not want to use Awall and iptables, run the following commands. First, disable the Iptables firewall.

# rc-service iptables stop
# rc-service ip6tables stop

Next, disable all the Awall policy rules.

# awall disable server
# awall disable ssh
# awall disable ping
# awall disable outgoing
# awall disable webserver

And finally, uninstall the iptables firewall from your Alpine Linux system.

# rc-update del ip6tables
# rc-update del iptables

This was a roundup of how to set up and use Awall with iptables firewall on Alpine Linux. For additional command options, visit the help page as follows.

# awall help

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.