Learning Objectives:
- Configure robust network connectivity using multiple management approaches
- Implement comprehensive firewall protection and security policies
- Set up secure remote access with SSH and proper authentication
- Develop system hardening strategies for enhanced security posture
Network configuration in Arch Linux offers multiple approaches, from automated management tools to manual configuration for precise control. Understanding these options allows you to choose the best approach for your specific needs.
NetworkManager for Desktop Systems: NetworkManager provides user-friendly network management with GUI and command-line interfaces, ideal for desktop systems and laptops.
Installing and Configuring NetworkManager:
# Install NetworkManager and related tools
sudo pacman -S networkmanager network-manager-applet
# Enable and start NetworkManager
sudo systemctl enable --now NetworkManager
# Install GUI tools for desktop environments
sudo pacman -S nm-connection-editor # GTK-based editor
sudo pacman -S plasma-nm # KDE integration
NetworkManager Command Line Interface:
# List available connections
nmcli connection show
# Show device status
nmcli device status
# Connect to Wi-Fi network
nmcli device wifi connect "SSID" password "password"
# Create static IP connection
nmcli connection add type ethernet con-name "static-eth" \
ifname enp0s3 ip4 192.168.1.100/24 gw4 192.168.1.1
# Modify existing connection
nmcli connection modify "connection-name" ipv4.dns "8.8.8.8,8.8.4.4"
# Activate/deactivate connections
nmcli connection up "connection-name"
nmcli connection down "connection-name"
Manual Network Configuration: For servers or systems requiring precise control, manual configuration provides maximum flexibility.
Using systemd-networkd: Systemd's built-in network management:
# Enable systemd-networkd
sudo systemctl enable --now systemd-networkd
sudo systemctl enable --now systemd-resolved
# Create network configuration file
sudo nano /etc/systemd/network/20-ethernet.network
Example static configuration:
[Match]
Name=enp0s3
[Network]
DHCP=no
Address=192.168.1.100/24
Gateway=192.168.1.1
DNS=8.8.8.8
DNS=8.8.4.4
Example DHCP configuration:
[Match]
Name=enp0s3
[Network]
DHCP=yes
Wireless Network Configuration: Configure Wi-Fi connections manually using wpa_supplicant:
# Install wireless tools
sudo pacman -S wpa_supplicant wireless_tools
# Generate encrypted password
wpa_passphrase "SSID" "password" | sudo tee /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
# Start wpa_supplicant service
sudo systemctl enable --now wpa_supplicant@wlan0
# Configure network interface
sudo ip link set wlan0 up
sudo dhcpcd wlan0
Network Troubleshooting Tools: Master essential networking diagnostic tools:
# Check network interfaces
ip addr show
ip link show
# Test connectivity
ping -c 4 google.com
ping -c 4 8.8.8.8
# Trace network path
traceroute google.com
# Check DNS resolution
nslookup google.com
dig google.com
# Monitor network traffic
sudo pacman -S tcpdump wireshark-cli
sudo tcpdump -i any icmp
# Check listening ports
ss -tuln
netstat -tuln
A properly configured firewall is your first line of defense against network-based attacks. Arch Linux supports multiple firewall solutions, from simple UFW to advanced iptables configurations.
UFW (Uncomplicated Firewall): UFW provides a user-friendly interface to iptables, making firewall management accessible while maintaining powerful functionality.
Installing and Configuring UFW:
# Install UFW
sudo pacman -S ufw
# Enable UFW service
sudo systemctl enable --now ufw
# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Enable UFW
sudo ufw enable
# Check UFW status
sudo ufw status verbose
UFW Rule Management: Create specific rules for your security requirements:
# Allow specific services
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
# Allow specific ports
sudo ufw allow 22/tcp
sudo ufw allow 80,443/tcp
# Allow from specific IP addresses
sudo ufw allow from 192.168.1.0/24
sudo ufw allow from 192.168.1.100 to any port 22
# Deny specific connections
sudo ufw deny from 192.168.1.50
# Delete rules
sudo ufw delete allow ssh
sudo ufw --numbered status # Show rule numbers
sudo ufw delete 2 # Delete rule by number
# Reset all rules
sudo ufw --force reset
Advanced UFW Configuration: Handle complex networking scenarios:
# Allow specific interfaces
sudo ufw allow in on eth0 to any port 22
# Rate limiting (prevent brute force)
sudo ufw limit ssh
# Application profiles
sudo ufw app list
sudo ufw allow "Apache Full"
# Logging configuration
sudo ufw logging on
sudo ufw logging medium
Direct iptables Configuration: For advanced users requiring maximum control:
# View current iptables rules
sudo iptables -L -n -v
# Save current rules
sudo iptables-save > /tmp/iptables.rules
# Basic iptables rules example
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP
# Make iptables rules persistent
sudo pacman -S iptables-nft
sudo systemctl enable iptables
Regular backups and recovery planning protect against data loss and system failures. Implement comprehensive backup strategies for both system configuration and user data.
System Configuration Backup: Preserve critical system settings and configurations:
Essential Files to Backup:
# Create backup directory
sudo mkdir -p /backup/system
# Backup critical system files
sudo cp -r /etc /backup/system/
sudo cp /boot/grub/grub.cfg /backup/system/
sudo cp -r /home /backup/system/
# Backup package list
pacman -Qqe > /backup/system/pkglist.txt
pacman -Qqm > /backup/system/aur-pkglist.txt
# Backup systemd services
systemctl list-unit-files --state=enabled > /backup/system/enabled-services.txt
Automated Backup with rsync: Create efficient, incremental backups:
# Install rsync
sudo pacman -S rsync
# Create backup script
sudo nano /usr/local/bin/system-backup.sh
Example backup script:
#!/bin/bash
BACKUP_DIR="/backup/$(date +%Y-%m-%d)"
mkdir -p "$BACKUP_DIR"
# Backup system configuration
rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} / "$BACKUP_DIR/"
# Backup package lists
pacman -Qqe > "$BACKUP_DIR/pkglist.txt"
pacman -Qqm > "$BACKUP_DIR/aur-pkglist.txt"
echo "Backup completed: $BACKUP_DIR"
System Recovery Procedures: Prepare for system recovery scenarios:
Recovery from Live Environment:
# Boot from Arch Linux ISO
# Mount your system partitions
mount /dev/sda2 /mnt
mount /dev/sda1 /mnt/boot
# Chroot into your system
arch-chroot /mnt
# Restore from backup
rsync -aAXv /backup/latest/ /
# Reinstall packages
pacman -S --needed - < /backup/pkglist.txt
# Restore bootloader
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
SSH Configuration and Security: Set up secure remote access with proper authentication and hardening:
SSH Server Installation and Configuration:
# Install OpenSSH
sudo pacman -S openssh
# Enable SSH service
sudo systemctl enable --now sshd
# Configure SSH security
sudo nano /etc/ssh/sshd_config
Essential SSH security settings:
# Change default port
Port 2222
# Disable root login
PermitRootLogin no
# Use key-based authentication
PasswordAuthentication no
PubkeyAuthentication yes
# Limit user access
AllowUsers username
# Set connection limits
MaxAuthTries 3
MaxSessions 2
# Enable logging
LogLevel VERBOSE
SSH Key Management:
# Generate SSH key pair
ssh-keygen -t ed25519 -C "[email protected]"
# Copy public key to server
ssh-copy-id -p 2222 username@server-ip
# Test key-based authentication
ssh -p 2222 username@server-ip
# Disable password authentication after testing
sudo systemctl reload sshd
Network Configuration Practice: Set up both NetworkManager and manual network configurations. Test switching between different network management approaches.
Firewall Implementation: Configure UFW with rules specific to your use case. Test firewall effectiveness using port scanning tools from another machine.
Backup Strategy Development: Create and test a comprehensive backup strategy. Practice system recovery procedures in a virtual machine environment.
SSH Hardening: Set up SSH with key-based authentication and security hardening. Test remote access and verify security settings.
Security Audit: Perform a security audit of your system using tools like
lynisorchkrootkit. Address any identified vulnerabilities.
You've now implemented comprehensive network configuration and security measures for your Arch Linux system. These skills form the foundation of a properly secured and networked system, whether for personal use or server deployment.
Understanding multiple network configuration approaches gives you flexibility to handle various scenarios, from simple desktop networking to complex server configurations. Your firewall and security implementations provide robust protection against common threats.
In the next module, we'll explore advanced customization and optimization techniques, building on your solid foundation to create a highly personalized and efficient system.