20日 8月 2017

AlpineLinux 3.6: Firewall with awall

This article will describe awall.

1 Install awall

Install awall package. 

$ sudo apk add awall
$ sudo rc-update add iptables

2 Enable and disable firewall

Starting iptables service enables firewall. 

$ sudo rc-service iptables start

Stopping iptables service disables firewall. 

$ sudo rc-service iptables stop

3 Add policy

Firewall rule is defined in policy file.

This article uses sample-policy.json which is sample for policy. After adding policy, "awall enable" enables policy and "awall activate" applies policy to firewall. 

$ sudo cp /usr/share/awall/sample/sample-policy.json \
          /etc/awall/optional/sample-policy.json
$ sudo awall enable sample-policy
$ sudo awall activate -f

sample-policy.json is the following.

3.1 zone

Define "internet" zone with "zone". 

"variable": { "internet_if": "eth0" },

"zone": {
  "internet": { "iface": "$internet_if" }
},
  • The variable can be defined "variable". $internet_if is equal with eth0. If using eth0 instead of "$internet_if" in "zone", you do not need to use "variable".
  • The "internet" zone is a zone which interface is eth0.
  • The "_fw" is special zone which refers host machine.

3.2 policy

Define action with "policy". 

"policy": [
  { "in": "internet", "action": "drop" },
  { "action": "reject" }
],
  • The packet from "internet" zone will be dropped.
  • Other packet will be rejected (ICMP error will be returned). The packet from "internet" to "_fw" will be rejected and the packet from "_fw" to "internet" will be rejected too. This means that ping command and ssh command cannot be run on host machine.
  • The following settings will accept packet from "_fw" to "internet". 
"policy": [
  { "in": "internet", "action": "drop" },
  { "in": "_fw", "action": "accept" },
  { "action": "reject" }
],

3.3 filter

Define the "policy" exception with "filter". 

"filter": [
  {
    "in": "internet",
    "service": "ping",
    "action": "accept",
    "flow-limit": { "count": 10, "interval": 6 }
  },
  {
    "in": "internet",
    "out": "_fw",
    "service": "ssh",
    "action": "accept",
    "conn-limit": { "count": 3, "interval": 60 }
  },

  {
    "in": "_fw",
    "out": "internet",
    "service": [ "dns", "http", "ntp" ],
    "action": "accept"
  },
  {
    "in": "_fw",
    "service": [ "ping", "ssh" ],
    "action": "accept"
  }
]
  • The service name to "service" is defined at /usr/share/awall/mandatory/services.json.
  • ping packet from "internet" is accepted. But it is limited up to 10 times in 6 seconds.
  • ssh packet from "internet" to "_fw" is accepted. But it is limited up to 3 times in 60 seconds.
  • dns, http and ntp packet from "_fw" to "internet" is accepted. If running DNS server in host machine, host machine cannot uses its DNS server.
  • ping and ssh packet from "_fw" is accepted.

When sending ping packets from "internet" at 0.2 seconds interval, 11th packet will be rejected. 

$ ping -i 0.2 alpinelinux-3-6-awall.hiroom2.com
PING alpinelinux-3-6-awall.hiroom2.com (192.168.11.93) 56(84) bytes of data.
64 bytes from 192.168.11.93: icmp_seq=1 ttl=64 time=0.609 ms
64 bytes from 192.168.11.93: icmp_seq=2 ttl=64 time=0.631 ms
64 bytes from 192.168.11.93: icmp_seq=3 ttl=64 time=0.618 ms
64 bytes from 192.168.11.93: icmp_seq=4 ttl=64 time=0.595 ms
64 bytes from 192.168.11.93: icmp_seq=5 ttl=64 time=0.554 ms
64 bytes from 192.168.11.93: icmp_seq=6 ttl=64 time=0.578 ms
64 bytes from 192.168.11.93: icmp_seq=7 ttl=64 time=0.705 ms
64 bytes from 192.168.11.93: icmp_seq=8 ttl=64 time=0.658 ms
64 bytes from 192.168.11.93: icmp_seq=9 ttl=64 time=0.586 ms
64 bytes from 192.168.11.93: icmp_seq=10 ttl=64 time=0.559 ms
# 11th ping packet is not accepted.
カテゴリ: en, 201708, alpinelinux-3-6, awall