Home Alpine Linux How To Set Up a Firewall with Awall on Alpine Linux

How To Set Up a Firewall with Awall on Alpine Linux

Setting up a firewall on your Linux system is usually one of the top-of-mind tasks that you can implement to fortify your system’s security. A firewall basically filters or regulates network traffic as it passes across your network interface. By so doing, it keeps unwanted traffic at bay and only allows the required traffic to pass through to the system.

Awall is a user-friendly and intuitive interface to the iptables firewall for Alpine Linux. It was made available since the release of Alpine Linux 2.4 and uses a set of predefined policies written in JSON format. These JSON files are referred to as policy files and are found in the /usr/share/awall/mandatory directory.

Common practice requires you to store your custom firewall rules in the /etc/awall/optional directory. These are optional policies and are enabled on a need basis as we shall demonstrate later in this guide.

NOTE: Awall versions prior to 0.2.12 will reference the policy files in the /etc/awall/optional directory while versions 0.2.12 and higher will look for the policy files from the /etc/awall/optional and /usr/share/awall/optional directories. At the time of writing this guide, the latest version is Awall 1.10, which means that the latter statement will apply.

In this guide, we will demonstrate how you can set up an Awall firewall on Alpine Linux.

Step 1: Update Alpine Linux Package Lists

It’s always a good idea to refresh local repositories before installing new software packages. Therefore, log into your Apline Linux instance and refresh the local package index using the following apk command as shown.

$ apk update
Update Alpine Linux
Update Alpine Linux

Step 2: Install Iptables in Alpine Linux

The next step is to install Iptables for both IPv4 and IPv6 protocols as follows.

# apk add ip6tables iptables
Install Iptables in Alpine Linux
Install Iptables in Alpine Linux

Step 3: Install Awall on Alpine Linux

Awall firewall is provided by the Alpine Linux main repository for a wide selection of architectures including x86_64, x86, and aarch64 architectures. Therefore, proceed and install the Awall firewall using the apk command as shown.

# apk add -u awall
Install Awall Firewall in Alpine Linux
Install Awall Firewall in Alpine Linux

To confirm Awall is installed, run the command:

# apk info awall
Check Awall Firewall in Alpine Linux
Check Awall Firewall in Alpine Linux

As we have mentioned earlier, Awall ships with a predefined set of Firewall policies in JSON format in the /usr/share/awall/mandatory directory. You can list the policies as follow.

$ ls -l /usr/share/awall/mandatory
List Awall Policies in Alpine Linux
List Awall Policies in Alpine Linux

However, according to best practices, custom policies should be placed in the /etc/awall directory.

Step 4: Load Kernel Modules and Start Iptables

Next, ensure that the iptables kernel modules are loaded using the following command.

# modprobe -v ip_tables 
# modprobe -v ip6_tables 
Load Kernel Modules
Load Kernel Modules

With the kernel modules loaded, enable iptables to start on boot as shown.

# rc-update add iptables
# rc-update add ip6tables
Enable Iptables
Enable Iptables

Step 5: Create Firewall Policies Using Awall

Next, we are going to create a few firewall policies and place them in the /etc/awall/optional/ directory.

First, on the list, we will create a rule called server.json that drops all the incoming & outgoing connections.

# cat /etc/awall/optional/server.json

Paste the following lines of code.

{
  "description": "An awall policy that drops all incoming and outgoing traffic",

  "variable": { "internet_if": "eth0" },

  "zone": {
    "internet": { "iface": "$internet_if" }
  },

  "policy": [
    { "in": "internet", "action": "drop" },
    { "action": "reject" }
  ]

}

Save and exit. Next, we will create a policy that allows incoming SSH connections on port 22 with a maximum login limit of 3 attempts to thwart brute force attacks.

{

    "description": "Allow incoming SSH access (TCP/22)",

    "filter": [
        {
            "in": "internet",
            "out": "_fw",
            "service": "ssh",
            "action": "accept",
            "src": "0.0.0.0/0",
            "conn-limit": { "count": 3, "interval": 60 }
        }
    ]
}

Save and exit the file.

Next, we will define a firewall policy that allows ICMP ping requests.

{

    "description": "Allow ping-pong",

    "filter": [
        {
              "in": "internet",
              "service": "ping",
              "action": "accept",
              "flow-limit": { "count": 10, "interval": 6 }
        }
    ]
}

If you have a web server in place, consider defining a rule for opening the HTTP and HTTPS ports.

{
    "description": "Allow incoming Apache (TCP 80 & 443) ports",
    "filter": [
        {
            "in": "internet",
            "out": "_fw",
            "service": [ "http", "https"],
            "action": "accept"
        }
    ]
}

Lastly, we are going to allow outgoing connections for some of the most commonly used protocols such as HTTP, HTTPS, DNS, SSH, NTP, and ICMP ping.

{

    "description": "Allow outgoing connections for http/https, dns, ssh, ntp, ssh and ping",

    "filter": [
        {
            "in": "_fw",
            "out": "internet",
            "service": [ "http", "https", "dns", "ssh", "ntp", "ping" ],
            "action": "accept"
        }
    ]
}

Save the changes and exit.

To list all the firewall policies in place, run the command:

# awall list
List Awall Firewall Policies
List Awall Firewall Policies

Step 6: Enable Firewall Policies and Activate Awall

To activate the firewall policies, run the following commands:

# awall enable server
# awall enable ssh
# awall enable ping
# awall enable  outgoing
# awall enable webserver

Finally, to activate the Awall firewall, run the command:

# awall activate
Active Awall Firewall
Active Awall Firewall

Step 7: Disabling a Firewall Policy

Suppose you want to disable a firewall policy that you no longer want. To do this, use the following syntax:

# awall disable policy-name

For example, to disable the ping policy, run the command:

# awall disable ping

To persist the changes, run the command:

# awall activate

Step 8: Disabling Awall and Iptables Firewall

If you no longer want to use Awall and iptables, then, disable the Iptables as shown. This stops Iptables for both IPv4 and IPv6.

# rc-service iptables stop
# rc-service ip6tables stop

Next, disable all the Awall policy rules that were created earlier on.

# awall disable server
# awall disable ssh
# awall disable ping
# awall disable outgoing
# awall disable webserver

And finally, uninstall the iptables firewall from your Alpine Linux system.

# rc-update del ip6tables
# rc-update del iptables

This was a roundup of how to set up and use Awall with iptables firewall on Alpine Linux. For additional command options, visit the help page as follows.

# awall help

Credit: cyberciti.biz and Alpine Wall Wiki

Ravi Saive
I am an Experienced GNU/Linux expert and a full-stack software developer with over a decade in the field of Linux and Open Source technologies. Founder of TecMint.com, LinuxShellTips.com, and Fossmint.com. Over 150+ million people visited my websites.

Each tutorial at UbuntuMint is created by a team of experienced writers so that it meets our high-quality standards.

Was this article helpful? Please add a comment to show your appreciation and support.

3 thoughts on “How To Set Up a Firewall with Awall on Alpine Linux”

  1. You stole this from nixCraft without giving any credit. You have zero talent just running multiple Linux sites like tecmint and stealing content. Shame on you

    Reply
    • @Vivek,

      I seriously didn’t know about it that our author “Winnie Ondara” took the content from your site, even after repeatedly warned about our writing guidelines to author. I am extremely sorry for that, I have added credit at the bottom of the article…

      Also, you talking about talent, which does not exist in reality, we are all equal as human beings… This is hard work that always pays off… That’s why tecmint is booming, and I believe in Karma.

      A great quote – “I don’t believe in talent I believe in hard work“.

      Reply
    • @Vivek, First of all, it is not true that I copied content from your site. I made reference to the Alpine Linux Wiki Page, which I’m sure you also made reference to and this explains the similarity between my content and your content. Secondly, I executed the commands in my Alpine Linux box and took the screenshots myself. Your accusation is uncalled for.

      Reply

Got something to say? Join the discussion.

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published or shared. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.