Install and Configure Firewall on Arch Linux (UFW & iptables)

Arch Linux is renowned for its simplicity and flexibility, attracting users who appreciate a streamlined, customizable operating system. However, with this flexibility comes the responsibility of ensuring the system’s security. One fundamental aspect of securing any Linux system, including Arch Linux, is implementing a robust firewall.

A firewall acts as a barrier between your computer and potential threats from the internet, filtering incoming and outgoing traffic based on predetermined security rules. This essential security measure helps protect your system from unauthorized access, malware, and other cyber threats.

In this blog post, we will discuss installation of popular firewall software, and provide detailed instructions for basic and advanced configurations.

Installing a Firewall on Arch Linux

For Arch Linux, several firewall solutions are available, each with its own features and strengths. The most commonly used are:

  • UFW (Uncomplicated Firewall): A user-friendly interface for managing iptables rules, ideal for beginners.
  • iptables: A powerful and flexible firewall utility that is highly configurable, suited for advanced users.
  • firewalld: A dynamic firewall manager that uses zones and services for configuration, offering a balance of simplicity and advanced features.

Installation Guide

Before installing any firewall software, ensure your system is up-to-date. Open your terminal and execute:

sudo pacman -Syu

This command synchronizes the package database and updates your system to the latest available versions.

Installing UFW

To install UFW, use the following command:

sudo pacman -S ufw

Installing iptables

iptables is often pre-installed on many Linux distributions, including Arch Linux. However, if it is not installed, you can do so with:

sudo pacman -S iptables

Enabling and Starting the Firewall

Once you have installed your preferred firewall software, the next step is to enable and start it.

UFW

Enable UFW to start on boot

sudo systemctl enable ufw

Start the UFW service

sudo systemctl start ufw

iptables

To enable iptables to start on boot, you need to enable the service using systemd.

sudo systemctl enable iptables

To start the iptables service, use the following command:

sudo systemctl start iptables

Managing Firewall with UFW

UFW, or Uncomplicated Firewall, is a user-friendly interface for managing iptables, designed to simplify the process of configuring a firewall. It is an excellent choice for users who prefer straightforward command-line tools without compromising on the security and functionality of their firewall.

Setting Default Policies

Setting default policies is crucial to define the basic behavior of your firewall. UFW’s typical default policy is to deny all incoming traffic and allow all outgoing traffic.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allowing and Blocking Ports and IPs

UFW makes it easy to allow or block specific ports and IP addresses. Here are some common commands:

Allow SSH (port 22)

sudo ufw allow ssh

Allow a specific port (e.g., HTTP on port 80)

sudo ufw allow 80

Allow a range of ports (e.g., ports 1000 to 2000)

sudo ufw allow 1000:2000/tcp

Deny a specific port

sudo ufw deny 8080

Allow traffic from a specific IP address

sudo ufw allow from 192.168.1.100

Deny traffic from a specific IP address

sudo ufw deny from 203.0.113.1

Checking Status and Rules

To check the status of UFW and see which rules are currently active, use:

sudo ufw status verbose

This command provides detailed information about the firewall’s status and all active rules.

Examples of Common UFW Rules

Below are examples of common UFW rules that you might find useful for securing your Arch Linux system:

Allow HTTP and HTTPS traffic

sudo ufw allow http
sudo ufw allow https

Allow traffic to a specific application (e.g., Apache)

sudo ufw allow Apache

Restrict access to a port (e.g., MySQL on port 3306) to a specific IP range

sudo ufw allow from 192.168.1.0/24 to any port 3306

Deny all traffic except SSH and HTTP/HTTPS

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

Managing Firewall with iptables

iptables is a powerful and flexible firewall utility built into the Linux kernel. It allows system administrators to define rules for how incoming and outgoing network traffic should be handled. While it offers extensive control and customization, iptables can be complex for beginners due to its command-line nature and detailed rule syntax.

Setting Default Policies

The first step in configuring iptables is to set default policies. These policies determine the default action for packets that do not match any other rules.

To set the default policy to drop all incoming and forwarding traffic while allowing all outgoing traffic, use

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Allowing and Blocking Specific Ports and Services

iptables allows you to create rules to allow or block traffic based on various criteria, such as port numbers, IP addresses, and protocols.

Allow SSH (port 22)

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow HTTP (port 80) and HTTPS (port 443)

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow traffic from a specific IP address

sudo iptables -A INPUT -s 192.168.1.100 -j ACCEPT

Block traffic from a specific IP address

sudo iptables -A INPUT -s 203.0.113.1 -j DROP

Managing Established Connections

To ensure that established and related connections are allowed to communicate, add the following rule

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Saving and Restoring iptables Rules

Saving Rules

After configuring iptables, you need to save your rules to ensure they persist across reboots. On Arch Linux, you can use the iptables-save command to save your current rules to a file:

sudo iptables-save > /etc/iptables/iptables.rules

Restoring Rules

To restore the saved rules at boot, you can use the iptables-restore command in conjunction with systemd. First, create a service file for iptables:

sudo nano /etc/systemd/system/iptables.service

Add the following content to the file:

[Unit]
Description=Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target[Unit]
Description=Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Save and close the file. Then, enable and start the iptables service:

sudo systemctl enable iptables
sudo systemctl start iptables

Testing Your Firewall

Testing your firewall is a crucial step in ensuring that it functions correctly and provides the intended level of security. Several built-in and commonly available network tools can help you test your firewall rules. These tools provide a straightforward way to verify that your firewall is blocking or allowing traffic as expected.

Ping

The ping command helps check if a host is reachable and if ICMP traffic is being blocked or allowed.

To test outgoing ICMP traffic (ping a remote server):

ping google.com

To test incoming ICMP traffic (ping your system from another device):

ping <your_ip_address>

If ping responses are blocked as per your firewall rules, the test is successful.

Telnet

The telnet command is useful for testing specific ports.

To test if a port is open: telnet <hostname> <port>

For example, to check if SSH (port 22) is open on a server:

telnet <hostname> 22

If the connection is successful, the port is open; otherwise, it is blocked.

Netcat (nc)

Netcat is a versatile networking tool used for reading from and writing to network connections using TCP or UDP.

To check if a port is open on a remote server: nc -zv <hostname> <port>

For example:

nc -zv google.com 80

If the port is open, you will receive a “succeeded” message; otherwise, it will fail.

Nmap

Nmap is a powerful network scanning tool that can be used locally or remotely to identify open ports and services.

To perform a basic scan of your system:

sudo nmap -sT <your_ip_address>

To perform a more detailed scan, including version detection:

sudo nmap -sV <your_ip_address>

Final Thoughts

Securing your Arch Linux system with a well-configured firewall is essential for maintaining the integrity and confidentiality of your data. By integrating firewalls into your overall security strategy, you can effectively mitigate the risks associated with network-based attacks, ensuring a safer and more reliable computing environment. Regular updates, thorough testing, and continuous monitoring are key practices that will help you maintain a secure and resilient system.

Share your love

Newsletter Updates

Stay updated with our latest guides and tutorials about Linux.

Leave a Reply

Your email address will not be published. Required fields are marked *