Erwall Documentation

Introduction


What is IPTables?


IPTables is a program that allows users to define the IP Packet Filtering rules of the Linux kernel firewall. These filters are organized under tables containing rule chains. Rules determine how incoming and outgoing network traffic packets to be handled in your server and under what conditions they are accepted or rejected.

Each table can contain built-in chains and user defined chains. Built-in chains can be listed as:

You can refer to the  Linux Manual  for detailed information about IPTables.

What is ERWALL?

ERWALL is an application that allows system administrators to easily define iptables rules from a web interface. ERWALL consists of 2 programs, one is a ERWALL Server and the other is ERWALL Client.

ERWALL Server  is the web application that hosts the panel where the rules are managed. Since firewall settings consist of highly confidential information, we have designed this application so that our customers can run it entirely on their own servers in order to protect their privacy. You can run the server application we sent you on your own server and define all your firewall rules locally, without the need to communicate with an outside agent.

ERWALL Client  is the application that communicates with the ERWALL Server to run necessary commands in the server.

The agent you install on your server communicates with our web application, allowing the rules you define to work on your servers. At the same time, it allows you to easily manage your server through a web interface with features such as common configurations for different servers and advanced user management.

Thanks to the IPTables automation provided by ERWALL, you can define and run your advanced and comprehensive firewall rules on your servers without the need to work on the terminal. ERWALL works in integration with Merlin Web Services.

Why You Need ERWALL?

Configuring firewall is a daunting task even for experienced system administrators. It is complicated and tricky to work on multiple servers one by one via terminal. However, firewall settings are not fault-tolerant structures as they ensure the security of servers, therefore companies and users. A mistake made while configuring the firewall can cause serious security vulnerabilities in your system and may lead to serious legal and economic damage. Moreover, it is time consuming to run a configuration on multiple servers and push the changes made to all related servers.

ERWALL comes to your help at this point and allows you to easily set your configurations with its comprehensive interface. With ERWALL, you can group your servers and give references to the grouped servers in your firewall rules. You can group specific IP addresses with the IPSets you create and use the groups in your rules. Moreover, a firewall setting you make will be processed

Definitions

Tables

iptables contains 5 tables by default. Tables contain chains (rulesets) and rules.

support

Rulesets (Chains)

A ruleset can be defined as rules that come together in an ordered group format. It is the equivalent of the chain structure in IPTables in the ERWALL interface. Rulesets can be used in the JUMP part of other rules. The chain structure of IPTables consists of rulesets that are run sequentially according to the conditions. The ruleset in the JUMP part of a rule that is operated and whose condition is met will be switched to and the rules in that ruleset will continue to be operated sequentially.

How do iptables rules work?

An iptables rule checks the validity of an IP package based on specified condition and performs an action according to that validation. The columns listed in the rule table are fields of an IP packet. Rules entered into a ruleset are executed sequentially. If the condition specified in the rule matches the package, the action in the JUMP section is performed. These actions are:

If a packet does not match any rule, then the policy of the built-in chain is operated. It can be either ACCEPT or REJECT. By jumping between chains and trying the rules, requests get accepted or rejected eventually and related actions are taken for the packet.

IPSets

IPSet is the structure that can be used to group IP addresses with similar attributes. IP Addresses may differ in terms of source company, whitelist, ISP. IPSets can be used when defining rules. For example, when you want to block the IPs in your blacklist, instead of entering these IPs one by one, you can create an IPSet and define your rule over it. Likewise, a user who wants to block all IPs belonging to Amazon can define rules by adding these IPs to an IPSet. Since the IPSet structure performs a search over a hashmap, it provides benefits in terms of both computational complexity and ease of use.

Licensing

After you purchase one of the ERWALL plans from Merlin panel, the system generates and delivers a key. This key is used to synchronize Merlin and ERWALL panels. You can enter the license key to the key field in the ERWALL panel, start using the ERWALL.

ERWALL Server Installation

Quick Installation for Debian-based Distributions

Run the following command to automatically install ERWALL Server on your Debian based distributions.

curl -sLO https://www.erwall.io/downloads/linux-x64/erwall-server.deb && sudo apt install ./erwall-server.deb

Manual Installation

The configurations generated by ERWALL runs on your own server. ERWALL directly communicates with your servers to keep the configurations up to date. Firstly, you should download the Server application from here. After you complete installation of both ERWALL Server and Client applications, they start to communicate. Every action you perform on the ERWALL panel will be transformed into the related setting and operated on your servers.

Download ERWALL Server

Create your appsettings.json file to configure you ERWALL Server application

Example  appsettings.json  file:

curl -sLO https://www.erwall.io/downloads/linux-x64/erwall-server.deb && sudo apt install ./erwall-server.deb

Now, you can create database and start to run you ERWALL Server application. Following commands show how you can create a database and super user before you start.

Example Application Usage:


$ ./ErwallServer database drop
Database is deleted successfully.

$ ./ErwallServer database migrate
All migrations are applied.

$ ./ErwallServer database createsuperuser
Username: superuser
Email: superuser@erstream.com
Password: *********
Password (again): *********

$ ./ErwallServer runserver
									
Use ERWALL Server as a Service

If you want to use the ERWALL Server as a service, you can use following configurations.

Example Linux Service File for ERWALL Server Application:


[Unit]
Description=Erwall Manager Service

[Service]
WorkingDirectory=/home/erwall/Server
ExecStart=/home/erwall/Server/ErwallServer runserver
Restart=always
# Restart service after 10 seconds if service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=erwall-server
User=www-data
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false

[Install]
WantedBy=multi-user.target

# you may need admin privileges for these commands

systemctl enable /path/to/service_file            # enables linux service
systemctl disable erwall-service                  # disables linux service
service erwall-server start
service erwall-server status
service erwall-server stop
service erwall-server restart
journalctl -u erwall-service --no-pager -n 100    # displays last 100 logs  
										 	

Quick Installation for Debian-based Distributions

Run the following command to automatically install ERWALL Client on your Debian based distributions.


curl -sLO https://www.erwall.io/downloads/linux-x64/erwall-client.deb && sudo apt install ./erwall-client.deb

Manual Installation

Download ERWALL Client files from here. You can run the following commands to install ERWALL Client on your servers. First, install requirements:

                                    
sudo apt-get update -y
  sudo apt-get install -y iptables
  sudo apt-get install -y ipset
										
                                

Download ERWALL Client


Now, you can create appsettings.json file to configure your ERWALL Client application.

Example appsettings.json file:

{
 "Logging": {
  "LogLevel": {
	"Default": "Information",
	"Microsoft": "Warning",
	"Microsoft.Hosting.Lifetime": "Information"
   }
 },

 "ErwallService": {
   "Host": "",     # host of Erwall Server, example: erwall.company.com
   "PeriodInSeconds": 30,  # rule fetching period in seconds, recommended:30
   "IpSetSaveFile": "ip-set.txt",
   "IpTablesSaveFile": "ip-tables.txt"
  }
}
		  

Run this command to configure ERWALL Client:

./ErwallClient configure --host=<HOST> --period=<SECONDS>
		  

After completing these operations, you can start to use ERWALL Client with the following command:

./ErwallClient run       # this may need admin privileges in order to change iptables / ipset rules	
		  

If you want to use the ERWALL Server as a Linux service, you can use following commands.

Example Linux Service File for ERWALL Client Application:


[Unit]
Description=Erwall Client Service

[Service]
WorkingDirectory=/home/erwall/Client
ExecStart=/home/erwall/Client/ErwallClient run
Restart=always
# Restart service after 10 seconds if service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=erwall-client
User=root
Group=root
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false

[Install]
WantedBy=multi-user.target
		  


# you may need admin privileges for these commands

   systemctl enable /path/to/service_file            # enables linux service
   systemctl disable erwall-client                   # disables linux service
   service erwall-client start
   service erwall-client status
   service erwall-client stop
   service erwall-client restart
   journalctl -u erwall-client --no-pager -n 100    # displays last 100 logs  
   
[Unit]
   Description=Erwall Client Service

   [Service]
   WorkingDirectory=/home/erwall/Client
   ExecStart=/home/erwall/Client/ErwallClient run
   Restart=always
   # Restart service after 10 seconds if service crashes:
   RestartSec=10
   KillSignal=SIGINT
   SyslogIdentifier=erwall-client
   User=root
   Group=root
   Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false

   [Install]
   WantedBy=multi-user.target
		


Uninstall

Uninstall from Debian-based Distributions

You can run following commands to the uninstall ERWALL Server and Client applications.

ERWALL Server:

sudo apt remove erwall-server


ERWALL Client:

sudo apt remove erwall-client


Uninstall from Other Distributions

systemctl disable command will delete the service. After deleting the service, you can delete the files you have extracted while installing server and client applications.

Client Groups

Client Groups are structures that group similar purpose servers on which you want to use the same iptables configurations. By creating a Client Group, you can manage multiple servers simultaneously without having to apply your settings in the panel one by one.

Ruleset image

Create a Client Group

The first screen you will encounter when you log in to the Panel is the client group selection screen. You can create a new Client Group by clicking the Add Client Group button on this screen, and then you can add your servers by editing this group. A server can only exist in a single client group.

Edit & Delete a Client Group

When you come to the client groups tab from the main navigation bar, you can edit it by clicking the     icon in the box of the client group you want to edit. In this section; You can rename, add and remove servers. You can perform the deletion operation by clicking the     icon in the same dialog.

Ruleset Operations

A ruleset is a combination of rules that are specified by the user. Rulesets can be used in different client groups once it is created.

Ruleset image

Create a Ruleset

To create a ruleset, we need to go to the Rulesets section from the navigation bar. If you have created a ruleset before, you will be able to see these rulesets in the menu. You can define a new ruleset by clicking the Add Chain button at the bottom of this list. Adding rules to rulesets is done after they are created.

Edit & Delete a Ruleset

When you come to the Ruleset tab from the main navigation bar, you can edit it by clicking the     icon in the box of the ruleset you want to edit. You can rename the ruleset by editing it. You can perform the deletion operation by clicking the     icon in the same dialog.

Rule Operations

Ruleset image

Creating Rules in a Custom Ruleset

Firstly, navigate to the Rulesets section from main navigation. Then select the table that you consists of the ruleset you want to edit. Select the ruleset in this page. When you go to the rule list display page, you can create a new rule for that new ruleset by clicking the Add New Rule button. In the form that appears, you can enter the value you want, on which parameter you want to set the constraint. E.g; The 'TCP' value written in the protocol section will enable this rule to be activated in requests with the 'TCP' protocol. You can use IP Set in rules added in the source IP and destination IP address fields. If the IPs of the packets coming to or outgoing from the server are available in the group you selected, the rule will be operated. You can also use your own client groups for the IP address restrictions. The Custom part is the field used to add other constraints that are not specified in the form but can be defined with iptables. For detailed information about the constraints that you can add to a rule, refer to  manual page.

Creating Rules in Tables

When you enter a client group, you can choose one of the 5 tables in the menu on the left side of the first page. The built-in rulesets, which regulate the rules that the users in each table will be operated, will appear after you select the table. You can edit the relevant rules by selecting any of these rulesets. After clicking the Add New Rule button, you can save the rule by filling out the relevant sections in the form that appears. On which field you want to add a constraint, you can write the value of the constraint you want to add to that field. E.g; The 'TCP' value written in the protocol section will enable this rule to be activated in requests with the 'TCP' protocol. There are 2 options in the JUMP section, you can give one of the rulesets you defined here or you can choose one of the 4 basic actions of iptables. For detailed information about the actions, . If one of the basic actions is selected, the action will be executed and the rule will terminate. If one of the rulesets is selected, the rules in the relevant ruleset will be continued to be operated in order.

Edit & Delete a Rule

You can select the Edit Rule option and edit the rule by clicking the 3-dot icon on the right end of the row of the rule you want to edit. You can perform the deletion operation with the Delete option in the same section.

IPSet Operations

Ruleset image

Create an IPSet

When you click the IPSets section from the navigation bar, the list of available IPSets can be seen. From this section, you can create a new IPSet by clicking the Add New IPSet button. There are two fields in this form. The first part of the form determines the name of the IPset, and the second determines the algorithm to search the IP addresses in the IPSet. The hash:ip algorithm is generally used for the search algorithm.

Ruleset image

Edit & Delete IPSets

When you navigate to the IPSets section from the main navigation bar, you can edit one by clicking the     icon in that IPSet's box. You can delete an IPSet by clicking the     button next to it.

Custom Field

IPTables comes with many flags, options and target extensions. To keep the interface simple and easy-to-use, ERWALL only cosists some of them. However, restricting ERWALL users to a small set of options may make impossible to define some specific rules. You can use the custom field of rule creation form, in such cases. You can specify any option in this field and it will be attached to the commands that will run on your server.

Refer to the  iptables manual page  to see the whole list of possible options and target extensions.

Use Cases

Blacklist IP addresses

A user wants to drop the packets coming from 1000 specific IP addresses.

  • Step 1 - User creates an ipset to group 1000 IP addresses. By doing so, she also benefits from the efficiency of search algorithm of the ipset.
  • Step 2 - User goes to the Client Groups section and selects the Client Group which she wants to add the rule.
  • Step 3 - Since the incoming request are going to be blocked, user selects INPUT chain of the Filter table.
  • Step 4 - User adds a rule with ipset reference as shown in the figure below.

Only Allow HTTP Ports

Joe is a system administrator and he wants to eliminate all requests targeting a group of servers, except the requests that comes from the HTTP ports 80 and 443.

  • Step 1 - Joe goes to the Ruleset section and creates a Ruleset under Filter table. The rule only accepts the TCP packets coming from specified ports.

  • Step 2 - He navigates to the Client Groups section and selects the group that he wants to change.
  • Step 3 - He selects INPUT chain of the Filter table.
  • Step 4 - He changes default policy of the INPUT chain to the DROP. So, if a packet do not match with any of the rules in this chain, it will be dropped.
  • Step 5 - He adds a rule, if the incoming packet is a TCP packet jump to the ruleset that is just defined.
  • Step 6 - Joe reorders the rule to the first place since he wants to accept the incoming HTTP requests quickly. Rules are operated sequentially.


  • Only Allow Internal Network Packets

    A system administrator wants to configure servers in a way that they communicate with each other as they are isolated from the outer network.

    • Step 1 - She creates a ruleset on Filter Table to restrict inputs. The ruleset consists of a rule that only accepts the packets coming from clients added to the ERWALL.

    • Step 2 - She also creates one for filtering outgoing packets.



    • Step 3 - She add rules to INPUT and OUTPUT chains of Filter table on all Client Groups. These rules jumps to the custom rulesets that she created. She changes default policies to the DROP.



    User Management

    Users

    When you come to the User tab from the navigation menu, you can see the page where you can manage the users registered in your system. In this section, you can use the Add User button at the bottom of the table to create a new user, and you can quickly create a user by entering the user's information in the form that appears.





    In order to edit user information and assign roles to users, you can click on the three-dot icon on the row of the user you want from the Users table and select Edit User. A user can have multiple roles. The combination set of the privileges of the roles he has will be defined for the user. In addition, if you want to add new privileges to users, you can define the privileges you want from the CLAIMS section of this form without adding a new role.

    Change Password

    To change the password of your account, you can navigate to the Profile section from the main navigation bar.

    Claims

    The Table below contains all the claims. These claims can be assigned to roles or directly to users.

    Privileges Users
    Show Privileges Add User
    Change/Edit User
    Roles Delete User
    Add Roles View Users
    Change/Edit Roles Reset Users' Password
    Delete Roels Assign Role to Users
    View Roles Delete Role from Users
    Assign Privileges to Roles Assign Privilege to Users
    Delete Privileges to Roles Delete Privilege from Users
    client group Client
    Add client groups Add Client
    Change/Edit client groups Change/Edit Client
    Delete client groups Delete Client
    View client groups View Clients
    Activate client groups Activate Client
    Deactivate client groups Deactivate Client
    IpSet IP addresses
    Add IP-Set Add IP Addresses
    Delete IP-Set Change/Edit IP Addresses
    Edit IP-Set Delete IP Addresses
    View IP Sets View IP Addresses
    Chain Rule
    Add Chain Add Rule
    Change/Edit Chain Change/Edit Rule
    Delete Chain Delete Rule
    View Chain View Rule
    License
    Add Licence
    Change License

    User Role

    User roles are structures that group the privileges that a certain user group should have. For example, the Superuser role is expected to have most of the capabilities, while ReadOnlyUsers having only viewing claims.



    From the User Roles tab, which is one of the sub-tabs of the Users tab, you can view and edit existing roles, add new roles, define privileges, and perform the deletion. You can manage users without having to create separate roles for minor changes, as privileges can be defined independently of roles.

    User Activity

    You can view the logs of actions taken by all users in the User Activity section. You can quickly resolve the actions that may cause a problem in your system by analyzing logs.

    Plans

    ERWALL works in integration with Merlin Web Services. You can see the pricing information on the  Merlin's pricing page.