How to Remove UFW and Configure iptables on CachyOS

If you’re running CachyOS, an Arch-based Linux distribution, and need to configure a more manual approach to firewall management, you may want to replace the Uncomplicated Firewall (UFW) with iptables. While UFW is easy to use, it can sometimes interfere with other tools like KVM or virt-manager, particularly when working with virtual machines (VMs) and network configurations.

This article documents the process of removing UFW and setting up iptables to manage your firewall on CachyOS.

Why Switch from UFW to iptables?

While UFW is a great tool for simpler firewall management, it may not always provide the level of control that advanced users or systems with specific networking needs require. iptables, on the other hand, offers more flexibility and power when configuring network rules, making it an ideal choice for those working with VMs or complex network setups.

If you’ve encountered issues with networking in virtual environments due to UFW’s default configurations, switching to iptables might resolve them.

Step 1: Stop and Disable UFW

The first step in transitioning to iptables is to disable and stop UFW. Since UFW manages your firewall rules, we need to make sure it doesn’t interfere with iptables once we install it.

  1. Stop UFW:
    First, stop the UFW service if it’s running:
    sudo systemctl stop ufw
  2. Disable UFW:
    To prevent UFW from starting automatically on boot, run:
    sudo systemctl disable ufw

Step 2: Remove UFW

Once UFW is disabled, you can remove it from your system entirely. This will clean up any dependencies that are no longer needed:
sudo pacman -Rns ufw

Step 3: Install iptables

Now that UFW is out of the picture, the next step is to install iptables to manage your firewall rules.

  1. Install iptables:
    On CachyOS (Arch-based), use the pacman package manager to install iptables:
    sudo pacman -S iptables
  2. Verify Installation:
    After installing, confirm that iptables is available by checking its version:
    sudo iptables -V

This should return the version number of iptables, confirming that it’s successfully installed.

Step 4: Flush Existing Rules

Now, it’s time to clear any old firewall rules that might have been set by UFW or other tools. This step is crucial to avoid conflicting rules that could block traffic.

  1. Flush Rules:
    Run the following command to flush all current iptables rules:
    sudo iptables -F

    This will clear all rules from iptables and leave the firewall in a blank state.

Step 5: Set Up Basic iptables Rules

Now that iptables is installed and all previous rules are flushed, you can start setting up your own firewall rules. Here’s an example configuration to get you started. The following rules will allow SSH, HTTP, and HTTPS traffic while blocking everything else:

  1. Allow SSH (port 22):
    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  2. Allow HTTP (port 80):
    sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  3. Allow HTTPS (port 443):
    sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  4. Allow Established Connections:
    This rule ensures that established connections are allowed to continue:
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  5. Drop Everything Else:
    Finally, set the default policy to DROP for all incoming traffic, ensuring that only the allowed services (SSH, HTTP, HTTPS) can be accessed:
    sudo iptables -A INPUT -j DROP

Step 6: Save iptables Rules

By default, iptables rules do not persist after a reboot. To ensure your rules are applied every time the system starts, you need to save them.

  1. Save Rules:
    Use the iptables-save command to save the current rules:
    sudo iptables-save | sudo tee /etc/iptables/iptables.rules > /dev/null
  2. Enable iptables Service:
    Enable the iptables service to automatically apply the saved rules on boot:
    sudo systemctl enable iptables
    sudo systemctl start iptables

Step 7: Verify iptables Configuration

Once everything is set up, you can verify that your iptables rules are active and working correctly.

  1. List Active Rules:
    Run the following command to view your active iptables rules:
    sudo iptables -L
    This will display the rules currently applied to your system, confirming that the desired ports (SSH, HTTP, HTTPS) are open and that all other incoming traffic is blocked.
  2. Check iptables Service Status:
    You can also check the status of the iptables service to make sure it is running:
    sudo systemctl status iptables

Step 8: Test Your Firewall Configuration

Finally, it’s important to test your firewall configuration. You can do this by trying to access the services you allowed (SSH, HTTP, HTTPS) from another machine or using tools like curl and ping:

  1. Test SSH: From another machine, try to SSH into your CachyOS system:
    ssh user@your_cachyos_ip

If everything is configured correctly, you should be able to access the services, and all other ports will be blocked.

Conclusion

By following these steps, you’ve successfully removed UFW and switched to iptables for managing your firewall on CachyOS. You now have full control over your network traffic, and your firewall rules should persist after reboot. If you encounter any issues or need to adjust the rules, you can modify the iptables configuration to suit your specific needs.

Switching from UFW to iptables allows for greater flexibility and control, particularly when working with virtual machines or complex networking setups.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts