Configure the "iptables" to organizational standards.
CONTROL ID 14463
CONTROL TYPE Configuration
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Configure network protection settings to organizational standards., CC ID: 07601
This Control has the following implementation support Control(s):
Configure the "ip6tables" settings to organizational standards., CC ID: 15322
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Ensure iptables rules are saved Description: The `iptables-services` package includes the `/etc/sysconfig/iptables` file. The `iptables` rules in this file will be loaded by the `iptables.service` during boot, or when it is started or re-loaded. Rationale: If the `iptables` rules are not saved and a… (3.5.3.2.5, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables packages are installed Description: iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs ar… (3.5.3.1.1, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables are flushed with nftables Description: nftables is a replacement for iptables, ip6tables, ebtables and arptables Rationale: It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables r… (3.5.2.4, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables-services not installed with firewalld Description: The `iptables-services` package contains the `iptables.service` and `ip6tables.service`. These services allow for management of the Host Based Firewall provided by the `iptables` package. Rationale: `iptables.service` and `ip6tables.… (3.5.1.2, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables loopback traffic is configured Description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale: Loopback traffic is generated between processes on machine and is typically critical to ope… (3.5.3.2.1, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables default deny firewall policy Description: A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Rationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list… (3.5.3.2.4, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables outbound and established connections are configured Description: Configure the firewall rules for new outbound, and established connections. Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing… (3.5.3.2.2, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables is enabled and running Description: `iptables.service` is a utility for configuring and maintaining `iptables`. Rationale: `iptables.service` will load the iptables rules saved in the file `/etc/sysconfig/iptables` at boot, otherwise the iptables rules will be cleared during a re-boo… (3.5.3.2.6, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables-services not installed with nftables Description: The `iptables-services` package contains the `iptables.service` and `ip6tables.service`. These services allow for management of the Host Based Firewall provided by the `iptables` package. Rationale: `iptables.service` and `ip6tables.s… (3.5.2.3, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables rules exist for all open ports Description: Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. Rationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. **Note:** - _Changin… (3.5.3.2.3, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 1)
Ensure iptables rules exist for all open ports Description: Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. Rationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. **Note:** - _Changin… (3.5.3.2.3, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables is enabled and running Description: `iptables.service` is a utility for configuring and maintaining `iptables`. Rationale: `iptables.service` will load the iptables rules saved in the file `/etc/sysconfig/iptables` at boot, otherwise the iptables rules will be cleared during a re-boo… (3.5.3.2.6, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables default deny firewall policy Description: A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Rationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list… (3.5.3.2.4, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables packages are installed Description: iptables is a utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall, implemented as different Netfilter modules, and the chains and rules it stores. Different kernel modules and programs ar… (3.5.3.1.1, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables rules are saved Description: The `iptables-services` package includes the `/etc/sysconfig/iptables` file. The `iptables` rules in this file will be loaded by the `iptables.service` during boot, or when it is started or re-loaded. Rationale: If the `iptables` rules are not saved and a… (3.5.3.2.5, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables-services not installed with nftables Description: The `iptables-services` package contains the `iptables.service` and `ip6tables.service`. These services allow for management of the Host Based Firewall provided by the `iptables` package. Rationale: `iptables.service` and `ip6tables.s… (3.5.2.3, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables outbound and established connections are configured Description: Configure the firewall rules for new outbound, and established connections. Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing… (3.5.3.2.2, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables loopback traffic is configured Description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale: Loopback traffic is generated between processes on machine and is typically critical to ope… (3.5.3.2.1, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables are flushed with nftables Description: nftables is a replacement for iptables, ip6tables, ebtables and arptables Rationale: It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables r… (3.5.2.4, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Ensure iptables-services not installed with firewalld Description: The `iptables-services` package contains the `iptables.service` and `ip6tables.service`. These services allow for management of the Host Based Firewall provided by the `iptables` package. Rationale: `iptables.service` and `ip6tables.… (3.5.1.2, CIS Amazon Linux 2 Benchmark, v.2.0.0, Level 2)
Title:
Enable IPtables
Description:
IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall.
Rationale:
IPtables provides extra protection for the Linux system by limiting communications in and out of the … (Rule: xccdf_org.cisecurity.benchmarks_rule_5.7_Enable_IPtables
Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_5.7.1_services.iptables, The Center for Internet Security CentOS 6 Level 1 Benchmark, 1.0.0)
Ensure Docker is allowed to make changes to iptables Description: The iptables firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset. Rationale: Docker will never m… (2.3, The Center for Internet Security Docker Level 1 Docker Linux Benchmark, v 1.2.0)
Ensure Docker is allowed to make changes to iptables Description: The iptables firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset. Rationale: Docker will never m… (2.3, The Center for Internet Security Docker Level 2 Docker Linux Benchmark, 1.2.0)
Title:
Enable IPtables
Description:
IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall.
Rationale:
IPtables provides extra protection for the Linux system by limiting communications in and out of th… (Rule:xccdf_org.cisecurity.benchmarks_rule_4.7_Enable_IPtables
Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_4.7.1_services.iptables, The Center for Internet Security Red Hat Enterprise Linux 6 Level 1 Benchmark, 1.2.0)
Title:
Enable IPtables
Description:
IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall.
Rationale:
IPtables provides extra protection for the Linux system by limiting communications in and out of th… (Rule:xccdf_org.cisecurity.benchmarks_rule_4.7_Enable_IPtables
Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_4.7.1_services.iptables, The Center for Internet Security Red Hat Enterprise Linux 6 Level 2 Benchmark, 1.2.0)
Ensure iptables are flushed with nftables Description: nftables is a replacement for iptables, ip6tables, ebtables and arptables Rationale: It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables r… (3.4.3.1, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
Ensure iptables outbound and established connections are configured Description: Configure the firewall rules for new outbound, and established connections. Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing… (3.4.4.1.3, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
Ensure iptables service is not enabled with firewalld Description: IPtables is an application that allows a system administrator to configure the IPv4 and IPv6 tables, chains and rules provided by the Linux kernel firewall. IPtables is installed as a dependency with firewalld. Rationale: Running fir… (3.4.2.2, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
Ensure iptables default deny firewall policy Description: A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Rationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list… (3.4.4.1.1, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
Ensure iptables is enabled and active Description: `iptables.service` is a utility for configuring and maintaining `iptables`. Rationale: `iptables.service` will load the iptables rules saved in the file `/etc/sysconfig/iptables` at boot, otherwise the iptables rules will be cleared during a re-boot… (3.4.4.1.5, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
Ensure iptables loopback traffic is configured Description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale: Loopback traffic is generated between processes on machine and is typically critical to ope… (3.4.4.1.2, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
Ensure iptables firewall rules exist for all open ports Description: Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. Rationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. Remediation… (3.4.4.1.4, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
Ensure iptables are flushed with nftables Description: nftables is a replacement for iptables, ip6tables, ebtables and arptables Rationale: It is possible to mix iptables and nftables. However, this increases complexity and also the chance to introduce errors. For simplicity flush out all iptables r… (3.4.3.1, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
Ensure iptables outbound and established connections are configured Description: Configure the firewall rules for new outbound, and established connections. Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing… (3.4.4.1.3, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
Ensure iptables service is not enabled with firewalld Description: IPtables is an application that allows a system administrator to configure the IPv4 and IPv6 tables, chains and rules provided by the Linux kernel firewall. IPtables is installed as a dependency with firewalld. Rationale: Running fir… (3.4.2.2, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
Ensure iptables default deny firewall policy Description: A default deny all policy on connections ensures that any unconfigured network usage will be rejected. Rationale: With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list… (3.4.4.1.1, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
Ensure iptables is enabled and active Description: `iptables.service` is a utility for configuring and maintaining `iptables`. Rationale: `iptables.service` will load the iptables rules saved in the file `/etc/sysconfig/iptables` at boot, otherwise the iptables rules will be cleared during a re-boot… (3.4.4.1.5, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
Ensure iptables loopback traffic is configured Description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). Rationale: Loopback traffic is generated between processes on machine and is typically critical to ope… (3.4.4.1.2, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
Ensure iptables firewall rules exist for all open ports Description: Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. Rationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports. Remediation… (3.4.4.1.4, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
The iptables service should be enabled or disabled as appropriate.
Technical Mechanisms:
via chkconfig
Parameters:
enabled / disabled
References:
Section: 2.5.5.1, Value: enabled
CCE-U-203 (CCE-4189-7, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 5, 5.20130214)