In this guide, I will walk you through the process of configuring a firewall on Manjaro Gnome Minimal Edition using iptables. By the end of this tutorial, your PC will be securely able to communicate with other devices over SFTP, while preventing any unsolicited inbound traffic from your local network.
Step 1: Install iptables
To begin, we must install iptables, the powerful utility that allows us to configure our firewall. This can be accomplished easily using the following command:
sudo pacman -S iptablesStep 2: Set Default Policies
Next, we’ll set the default policies for iptables. In this case, we will block all incoming and forwarded traffic, while allowing all outgoing traffic to flow freely:
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPTStep 3: Allow Loopback Traffic
To ensure that your system can still communicate internally (i.e., within the machine itself), we must allow loopback traffic. This will enable processes to talk to each other locally without interference:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPTStep 4: Allow Established and Related Connections
It’s crucial to allow traffic that is part of an already established or related connection. This ensures that your firewall doesn’t block responses to outgoing requests, like those from your web browser or SFTP connections:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTStep 5: Allow SFTP Outbound Connections
To enable secure file transfers over SSH, we’ll allow outbound connections on port 22 for SFTP. This will ensure that your system can establish secure connections to other machines for file sharing:
sudo iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPTStep 6: Save the Rules
Once the rules are configured, it’s essential to save them so they persist after a reboot. Use the following command to save the configuration to a file:
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'Step 7: Ensure Rules Persist Across Reboots
Finally, we’ll ensure that our firewall rules are automatically loaded at boot time by creating and enabling a systemd service. This will guarantee that the rules are always applied when the system starts up.
Start by creating the service file:
sudo nano /etc/systemd/system/iptables.serviceThen, add the following content to the file:
[Unit]
Description=Packet Filtering Framework
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/rules.v4
ExecReload=/usr/bin/iptables-restore /etc/iptables/rules.v4
ExecStop=/usr/bin/iptables-save > /etc/iptables/rules.v4
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
After saving the file, enable and start the service with the following commands:
sudo systemctl enable iptables
sudo systemctl start iptablesUsing Nano for Simple Edits
For simple tasks like creating and editing configuration files, I highly recommend using the Nano text editor. Its straightforward interface and easy-to-use commands make it perfect for quick edits and small jobs. If you’d like to learn more about Nano and its features, check out my blog post here.