Skip to content

Awall Firewall

Jump to bottom
wifiBlocker EUROPE edited this page Oct 13, 2024 · 9 revisions

Prerequisites

apk add awall
modprobe ip_tables
modprobe iptable_nat

Create below files in /etc/awall/optional/:

iBlocker.json

{
  "description": "Default awall policy to protect iBlocker",
 
  "variable": { "internet_if": "eth0" },
 
  "zone": {
    "internet": { "iface": "$internet_if" },
    "LAN": { "iface": "wlan0" }
  },
 
  "policy": [
    { "in": "_fw", "action": "accept" },
    { "in": "LAN", "out": "internet", "action": "accept" },
    { "in": "internet", "action": "drop" }
],

  "snat": [
    { "out": "internet" }
  ]
 
}

ssh.json

{
 
    "description": "Allow incoming SSH access (TCP/22)",
 
    "filter": [
        {
            "in": "internet",
            "out": "_fw",
            "service": "ssh",
            "action": "accept",
            "src": [ "192.168.178.0/24", "172.25.1.0/24", "172.25.1.12" ],
	    "conn-limit": { "count": 3, "interval": 60 }
        },
        {
            "in": "LAN",
            "out": "_fw",
            "service": "ssh",
            "action": "accept",
            "src": [ "192.168.178.0/24", "172.25.1.0/24" ],
	    "conn-limit": { "count": 3, "interval": 60 }
        }


    ]
}

Replace "192.168.178.0/24", "172.25.1.0/24" with your ranges.

monitoring.json

{
	"description": "Monitoring via Prometheus/Grafana/node_exporter (port 9100)",
	"filter": [
		{
			"in": "internet",
			"out": "_fw",
			"service": "hp-pdl",
			"action": "accept"
		}
	]
}

Install node_exporter as described at https://github.com/iBlocker-eu/AlpineAP/wiki/MONITORING

ping.json

{
 
    "description": "Allow ping-pong",
 
    "filter": [
        {
	      "in": "internet",
	      "service": "ping",
	      "action": "accept",
 	      "flow-limit": { "count": 10, "interval": 6 }
        },
       {
	      "in": "LAN",
	      "service": "ping",
	      "action": "accept",
 	      "flow-limit": { "count": 10, "interval": 6 }
        }

    ]
}

apache.json

{
    "description": "Allow incoming Apache HTTP/HTTPS (TCP/80 and 443) ports",
    "filter": [
        {
            "in": "internet",
            "out": "_fw",
            "service": [ "http", "https"],
            "action": "accept"
        },
       {
            "in": "LAN",
            "out": "_fw",
            "service": [ "http", "https"],
            "action": "accept"
        }

    ]
}

Enable policies

awall enable iBlocker ping ssh apache monitoring
awall list
awall activate

Contact: office@2transfer.eu

Copyright © IBlocker.eu project. Proudly powered by Open Source software. Copyright Notice | Terms of Service | Privacy Policy

© Design: www.iblocker.eu

Clone this wiki locally