-
Notifications
You must be signed in to change notification settings - Fork 0
Awall Firewall
wifiBlocker EUROPE edited this page Oct 15, 2024
·
9 revisions
Prerequisites
apk add awall
modprobe ip_tables
modprobe iptable_nat
Create below files in /etc/awall/optional/:
{
"description": "Default awall policy to protect iBlocker",
"variable": { "internet_if": "eth0" },
"zone": {
"internet": { "iface": "$internet_if" },
"LAN": { "iface": "wlan0" }
},
"service": {
"motion": { "proto": "tcp", "port": 8081 }
},
"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "LAN", "out": "internet", "action": "accept" },
{ "in": "internet", "action": "drop" }
],
"snat": [
{ "out": "internet" }
]
}
{
"description": "Allow incoming SSH access (TCP/22)",
"filter": [
{
"in": "internet",
"out": "_fw",
"service": "ssh",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24", "172.25.1.12" ],
"conn-limit": { "count": 3, "interval": 60 }
},
{
"in": "LAN",
"out": "_fw",
"service": "ssh",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24" ],
"conn-limit": { "count": 3, "interval": 60 }
}
]
}
Replace "192.168.178.0/24", "172.25.1.0/24" with your ranges.
{
"description": "Monitoring via Prometheus/Grafana/node_exporter (port 9100)",
"filter": [
{
"in": "internet",
"out": "_fw",
"service": "hp-pdl",
"action": "accept"
}
]
}
Install node_exporter as described at https://github.com/iBlocker-eu/AlpineAP/wiki/MONITORING
{
"description": "Allow ping-pong",
"filter": [
{
"in": "internet",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "LAN",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
}
]
}
{
"description": "Allow incoming Apache HTTP/HTTPS (TCP/80 and 443) ports",
"filter": [
{
"in": "internet",
"out": "_fw",
"service": [ "http", "https"],
"action": "accept"
},
{
"in": "LAN",
"out": "_fw",
"service": [ "http", "https"],
"action": "accept"
}
]
}
{
"description": "Motion locall accessible (port 8100)",
"filter": [
{
"in": "LAN",
"service": "motion",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24" ]
},
{
"in": "internet",
"service": "motion",
"action": "accept",
"src": [ "192.168.178.0/24", "172.25.1.0/24" ]
}
]
}
Replace "192.168.178.0/24", "172.25.1.0/24" with your ranges.
awall enable iBlocker ping ssh apache monitoring motion
awall list
awall activate
After uninstall (awall disable ssh, monitoring, apache, etc and awall activate and apk del awall) the default policy for the chains should be set to ACCEPT, otherwise no traffic possible
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
...
Contact: office@2transfer.eu
Copyright © IBlocker.eu project. Proudly powered by Open Source software. Copyright Notice | Terms of Service | Privacy Policy
© Design: www.iblocker.eu