| |
dharmik parmar

admiration for arch linux

obligatory neofetch screenshot: neofetch

the way i came to arch linux is because what choice did i have? that is what all cool kids do, right? and ain't i the brand ambassador of the cool department? i too wanted to say "i use arch btw".

but as uncle ben put it, "with great power comes great responsibility". and arch linux is pure sheer power. it gives you power to build your own system from the ground up. it gives you power to choose what you want and what you don't want. it gives you power to learn and understand how linux works.

i didn't have this admiration always. i was a poopyhead for a long time. i have backups on this device of photos that are of size 60gb. i thought i made a bad choice of not choosing something stable, but i was wrong.

there are many instances when i broke my system, but learned to fix it. one particular instance which caught my eye and heart was today. i was trying to setup a vm with qemu on my machine. i had already spent time setting up the same on my pop os machine, but well it was weekend and i was tired of looking at my laptop screen (you bloody gnome) so i moved to my desktop.

i followed the same steps as i did on pop os, but it didn't work. everything worked except one thing which was dns. i tried everything. for a second i thought it was problem with my very own dns server, but no locally everything worked.

i started and restarted the vm, hoping it would work, but no luck. i googled and googled, but nothing worked. i was about to give up, when i thought of checking the arch wiki.

apparently, on pop os, preconfigures things for you (i have to read more about it later), but on arch, by default, there's no firewall rules set.

on my machine, i had nftables enabled, and my forward chain had a default policy drop. so anything being forwarded, including vm traffic, was dropped unless i explicitly allowed it.

i thought it's the default state on arch linux, but i was wrong. it has to be some package that i installed which enabled nftables with default drop policy.

> [dharmik@archlinux ~]$ sudo nft list ruleset

all i had to do was explicitly allow dns traffic within the forward chain.

sudo nft add rule inet filter forward udp dport 53 accept
sudo nft add rule inet filter forward tcp dport 53 accept

and voila! it worked. the vm could now access the internet.

> [dharmik@archlinux ~]$ sudo nft list ruleset
chain forward {
                type filter hook forward priority filter; policy drop;
                udp dport 53 accept
                tcp dport 53 accept
        }

since vm traffic goes through the host’s forward chain, dns packets (udp/tcp port 53) were getting dropped. all i had to do was explicitly allow dns traffic in the forward chain.

i love that. arch didn’t guess what i wanted. it waited for me to be explicit. that’s not inconvenience. that’s honesty. that’s control. that’s why i like arch linux. i did shed a tear that i have no account or memory of what on earth i was trying in the first place, but tears of joy, of course. i hope you guys had a happy weekend too.

note: this post was supposed to be published on 21st dec 2025, but i had a few doubts about the nft commands and the default state of firewall rules on arch machine. so i waited till today to confirm it all. yes, the default policy is drop on arch linux fresh install.

later, while setting up the vm further, i realized that forwarding itself was enabled, but the firewall policy was still dropping forwarded packets. i had to scratch my head on why i couldn't update the openwrt packages, because i could reach the internet and also could ping google from within the openwrt vm.

turns out the real issue was still forwarding. openwrt package downloads originate inside the vm, so they rely on the host’s forward chain. once i allowed forwarded traffic, package updates immediately started working.

sudo iptables -P FORWARD ACCEPT

i had briefly looked at the OUTPUT chain while debugging, but the actual fix was relaxing the forward policy.

it’s funny that until recently, i had no knowledge of firewalls or iptables/nftables and was living in ignorance and bliss. now that i know about them, i’m disturbed by them all the time. i can’t unknow it anymore.

though there's a lot i haven't learnt yet, i am open to it. i don't know what i will try next yet.

something else also happened. i had a lot of local commits in a repo and i wanted to start afresh from remote. so i did git log first to get the hash/commit id of the last commit on remote. but guess what, i got

less not found

well, not the first time i was doing git log, right? probably some bug in the routine system upgrade on my arch machine. without much thought, i did

sudo pacman -Syu
sudo pacman -S less

to which it says less already installed and up to date. what the heck? i go back and try git log again. well, this time less works but the error i get is github.com not found. arrrrrrgggghhh, i thought. my dns server was down again.

i picked up my laptop, because my router was down already and i was on my computer connected via lan cable. from my laptop, i ssh into my vps and see there's no storage left. someone's been ddos-ing my dns server again and the logs have filled up my storage. i clear some logs, restart the dns and it works again. phew!

but to those ddos-ers, please find a new hobby. this is old.

← Back to all posts

"it's not who you are underneath, but what you do that defines you" - rachel dawes