How to Configure a Firewall with `nftables` on Arch Linux

How to Configure a Firewall with nftables on Arch Linux
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

When it comes to securing a Linux system, one of the fundamental steps is configuring a firewall. On Arch Linux, the modern and recommended tool for this task is nftables — a powerful and flexible packet filtering framework developed by the Netfilter Project. It replaces older systems like iptables, ip6tables, arptables, and ebtables, providing a unified and efficient approach to managing network traffic.

In this guide, we’ll walk through everything you need to know to get a firewall up and running using nftables on Arch Linux. We’ll cover installation, basic concepts, ruleset creation, persistence, and troubleshooting.

Why Use nftables?

Before diving in, let’s briefly explore why nftables is preferred over legacy tools:

  • Unified Framework: Unlike previous tools that needed separate utilities for IPv4, IPv6, ARP, and Ethernet bridges, nftables consolidates everything.
  • Simplified Syntax: The rule syntax is more readable and easier to manage.
  • Better Performance: It is more efficient in terms of memory usage and processing speed.
  • Atomic Rule Updates: Rules are updated atomically, reducing the risk of dropping packets during reloads.
  • Improved Logging and Debugging: Easier to debug with structured error messages and better logging support.

Prerequisites

Ensure that you have:

  • A working Arch Linux installation.
  • Root privileges or a user with sudo access.
  • A basic understanding of networking concepts.

Step 1: Installing nftables

Most Arch Linux installations already include nftables by default. To check if it’s installed:

nft --version

If not installed, you can install it with:

sudo pacman -S nftables

Step 2: Enabling the nftables Service

To make sure your firewall starts at boot, enable the systemd service:

sudo systemctl enable nftables.service
sudo systemctl start nftables.service

To verify that it’s running:

sudo systemctl status nftables.service

Step 3: Understanding nftables Concepts

Before configuring your ruleset, it’s helpful to understand some core concepts of nftables.

Tables

Tables are containers for rules and can be of types:

  • ip – IPv4 only
  • ip6 – IPv6 only
  • inet – both IPv4 and IPv6 (recommended for most use cases)

Chains

Chains define points in the packet processing path where rules are evaluated, such as:

  • input – packets destined for the local system
  • output – packets sent from the local system
  • forward – packets passing through the system

Rules

Rules define actions taken on packets that match specified conditions. Examples include allowing or dropping packets, logging them, or jumping to another chain.

Step 4: Creating a Basic Firewall Ruleset

Let’s create a basic ruleset to allow essential traffic and drop everything else.

1. Create a new file to define your ruleset

sudo nano /etc/nftables.conf

2. Add the following basic configuration

#!/usr/sbin/nft -f

table inet filter {
  chain input {
    type filter hook input priority 0;
    policy drop;

    # Allow loopback
    iif lo accept

    # Allow established and related connections
    ct state established,related accept

    # Allow SSH
    tcp dport 22 ct state new accept

    # Allow ICMP (ping)
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # Log and drop everything else (optional)
    log prefix "nftables input drop: " flags all counter
    drop
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;
  }

  chain output {
    type filter hook output priority 0;
    policy accept;
  }
}

3. Save and exit the file

4. Test the configuration syntax

sudo nft -c -f /etc/nftables.conf

If no errors are reported, load the rules:

sudo nft -f /etc/nftables.conf

To verify the active rules:

sudo nft list ruleset

Step 5: Making the Rules Persistent

The nftables.service by default loads /etc/nftables.conf at startup. So once your rules are correctly defined in that file and the service is enabled, your firewall will persist after reboot.

You can test this by rebooting your system and running:

sudo nft list ruleset

Step 6: Allowing More Services

If your system runs additional services (e.g., a web server or a DNS resolver), you’ll need to explicitly allow those.

Here are some examples:

    # Allow HTTP and HTTPS
    tcp dport { 80, 443 } ct state new accept

    # Allow DNS
    udp dport 53 ct state new accept

Simply insert these lines into the input chain inside /etc/nftables.conf.

Step 7: Logging Dropped Packets

For debugging or auditing purposes, you may want to log dropped packets. The basic configuration already includes a logging rule:

log prefix "nftables input drop: " flags all counter

Logs can be found using:

sudo journalctl -k | grep nftables

Keep in mind that excessive logging (especially with flags all) may fill up your logs quickly, so use with care in production environments.

Step 8: Flushing and Resetting Rules

To flush all active rules:

sudo nft flush ruleset

This clears all tables, chains, and rules currently in memory but does not affect your /etc/nftables.conf.

To reload your saved config:

sudo nft -f /etc/nftables.conf

Step 9: Advanced Tips

Named Sets

To simplify complex rule management, use named sets. For example:

set trusted_ips {
  type ipv4_addr
  elements = { 192.168.1.10, 192.168.1.11 }
}

ip saddr @trusted_ips accept

Rate Limiting

Prevent brute-force attacks with rate limiting:

tcp dport 22 ct state new limit rate 10/minute accept

Separate Chains for Services

For better organization:

chain ssh_chain {
  tcp dport 22 ct state new accept
}

chain input {
  ...
  jump ssh_chain
  ...
}

Step 10: Troubleshooting

Here are some common pitfalls and how to fix them:

  • SSH Locked Out: Always keep an open terminal with SSH access when testing new rules. Use limit or allow specific IPs to reduce brute-force risk.
  • Rules Not Loaded After Reboot: Ensure /etc/nftables.conf is correctly set and nftables.service is enabled.
  • Syntax Errors: Use nft -c -f to check config before loading.
  • No Logging: Check if your system logs kernel messages (journalctl -k). You may also need to tune your rsyslog or journald settings.

Conclusion

nftables on Arch Linux provides a powerful yet elegant way to manage firewall rules for your system. With a unified configuration, readable syntax, and modern features like named sets and rate limiting, it becomes easier than ever to secure your system effectively.

By defining a simple but strict ruleset, allowing only necessary services, and making your setup persistent, you ensure your system is protected both now and after every reboot. With this guide, you should be well-equipped to build on your firewall configuration as your needs grow.

Further Reading

Feel free to expand your configuration as you become more comfortable with the syntax and features. A well-maintained firewall is a critical part of any secure system.


< How to Configure a Firewall with `ufw` on Arch LinuxHow to Share Files Over Samba on Arch Linux >