Alpine Linux Services for iptables and ip6tables
This document briefly explains how to work with iptables and ip6tables on Alpine Linux.
Service Packages
In Alpine Linux, the iptables and ip6tables packages provide firewall support. By default, the iptables package usually gets installed, but the ip6tables package might need to be added manually. To be sure both packages are installed, run:
apk add iptables ip6tables
Initial Configuration
Once the packages are added, it is necessary to ensure the firewall services are stopped before doing the initial configuration:
rc-service iptables stop
rc-service ip6tables stop
As root, edit the /etc/conf.d/iptables file:
vi /etc/conf.d/iptables
Change the SAVE_ON_STOP option to “no”:
SAVE_ON_STOP="no"
Repeat this process for the /etc/conf.d/ip6tables file.
To ensure the corresponding services will be enabled at boot time, run:
rc-update add iptables boot
rc-update add ip6tables boot
The save locations for firewall rules can be set in /etc/conf.d/iptables and /etc/conf.d/ip6tables, but by default, /etc/iptables/rules-save and /etc/iptables/rules6-save are used.
CAUTION: If you do not change the SAVE_ON_STOP options, then the currently loaded iptables/ip6tables rules are saved whenever the corresponding service (iptables or ip6tables) is stopped. I recommend against using this default behavior, since it is easier to understand what your firewall is and isn’t allowing if you edit all the rules at once.
Adding or Changing Firewall Rules
By default, both the /etc/iptables/rules-save and /etc/iptables/rules6-save files are empty. An empty firewall rule set means that no firewall is active on the system (and the corresponding firewall service will fail to start). To rectify this situation, I suggest starting from a restrictive rule set and adding the rules needed to open specific ports.
Here is an extremely restrictive set of firewall rules that can be used for both iptables and ip6tables as a starting point:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
To configure the IPv4 firewall, put these rules into /etc/iptables/rules-save, then run:
rc-service iptables restart
Configuring the IPv6 firewall is similar, but the rules go in /etc/iptables/rules6-save, and restarting the service is done using:
rc-service ip6tables restart
As you add rules to your firewall, simply restart the corresponding service to make them effective.