Arch Firewall

In an attempt to step my Linux game up, I’ve been setting up an Arch server. It’s been a great learning experience. The wiki (https://wiki.archlinux.org) has been an invaluable resource. Arch is beautifully simple, and that simplicity allows the 15 year old hardware it is installed on (single-core Pentium 4 with 1GB RAM) to run just as fast as my 3 year old laptop (quad-core AMD with 4GB RAM). I love it.

With the “all you have is what you install and configure yourself” mentality that underpins the simplicity of Arch comes a lack of security, however. For example, there are no preconfigured host-based firewall rules. You have to write your own, and that means you have to understand how iptables works — but that’s probably a good thing.

For those who may not know, iptables is the firewall software used by everyone and their mother in the world of Linux. It is made up of five tables: raw, filter, nat, mangle, and security (although the nat and filter tables are the ones most commonly used, with filter being the default table). Each table consists of chains (which are made up of rules to be applied in the various stages of packet processing).

The filter table has three built-in chains: input, output, and forward. So for incoming packets, the rules in the input chain are applied. The nat table also has three chains: prerouting, postrouting, and output. The rules in the chains are parsed sequentially, starting at the top. Rules define two things: matches and targets. Matches are the conditions the packet has to satisfy before being sent to a target. Typical things to match on are the source and destination interfaces and protocols. Targets can be other user-defined chains (with more matches and targets), built-in targets (e.g. accept, drop, queue, return), or target extensions (e.g. reject, log).

Extensions? Yep, iptables is extensible. Modules can be added to increase functionality beyond the default. For example, the conntrack module allows iptables to do stateful inspection. So how do you use it? I’m glad you asked. Assuming you just want to use the default filter table, it’s just a matter of adding chains and rules to /etc/iptables/iptables.rules and starting/enabling the service via systemd (e.g. systemctl {start|enable} iptables).