Skip to content

Awall Firewall

Jump to bottom
wifiBlocker EUROPE edited this page Oct 15, 2024 · 9 revisions

Prerequisites

apk add awall
modprobe ip_tables
modprobe iptable_nat

Create below files in /etc/awall/optional/:

iBlocker.json

{
  "description": "Default awall policy to protect iBlocker",
 
  "variable": { "internet_if": "eth0" },
 
  "zone": {
    "internet": { "iface": "$internet_if" },
    "LAN": { "iface": "wlan0" }
  },
 
  "policy": [
    { "in": "_fw", "action": "accept" },
    { "in": "LAN", "out": "internet", "action": "accept" },
    { "in": "internet", "action": "drop" }
],

  "snat": [
    { "out": "internet" }
  ]
 
}

ssh.json

{
 
    "description": "Allow incoming SSH access (TCP/22)",
 
    "filter": [
        {
            "in": "internet",
            "out": "_fw",
            "service": "ssh",
            "action": "accept",
            "src": [ "192.168.178.0/24", "172.25.1.0/24", "172.25.1.12" ],
	    "conn-limit": { "count": 3, "interval": 60 }
        },
        {
            "in": "LAN",
            "out": "_fw",
            "service": "ssh",
            "action": "accept",
            "src": [ "192.168.178.0/24", "172.25.1.0/24" ],
	    "conn-limit": { "count": 3, "interval": 60 }
        }


    ]
}

Replace "192.168.178.0/24", "172.25.1.0/24" with your ranges.

monitoring.json

{
	"description": "Monitoring via Prometheus/Grafana/node_exporter (port 9100)",
	"filter": [
		{
			"in": "internet",
			"out": "_fw",
			"service": "hp-pdl",
			"action": "accept"
		}
	]
}

Install node_exporter as described at https://github.com/iBlocker-eu/AlpineAP/wiki/MONITORING

ping.json

{
 
    "description": "Allow ping-pong",
 
    "filter": [
        {
	      "in": "internet",
	      "service": "ping",
	      "action": "accept",
 	      "flow-limit": { "count": 10, "interval": 6 }
        },
       {
	      "in": "LAN",
	      "service": "ping",
	      "action": "accept",
 	      "flow-limit": { "count": 10, "interval": 6 }
        }

    ]
}

apache.json

{
    "description": "Allow incoming Apache HTTP/HTTPS (TCP/80 and 443) ports",
    "filter": [
        {
            "in": "internet",
            "out": "_fw",
            "service": [ "http", "https"],
            "action": "accept"
        },
       {
            "in": "LAN",
            "out": "_fw",
            "service": [ "http", "https"],
            "action": "accept"
        }

    ]
}

Enable policies

awall enable iBlocker ping ssh apache monitoring
awall list
awall activate

Uninstall

After uninstall (awall disable ssh, monitoring, apache, etc and awall activate and apk del awall) the default policy for the chains should be set to ACCEPT, otherwise no traffic possible

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
...

Contact: office@2transfer.eu

Copyright © IBlocker.eu project. Proudly powered by Open Source software. Copyright Notice | Terms of Service | Privacy Policy

© Design: www.iblocker.eu

Clone this wiki locally