Detections
Analytics

3.5.3.2.3 Ensure iptables rules exist for all open ports

Information

Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.

Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.

Note:

 - Changing firewall settings while connected over network can result in being locked out of the system.
 - The remediation command opens up the port to traffic from all sources. Consult iptables documentation and set any restrictions in compliance with site policy.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections:

# iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT

See Also

https://workbench.cisecurity.org/benchmarks/8415

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-17(1), 800-53|CM-7, 800-53|CM-7b., CAT|II, CCI|CCI-000382, CCI|CCI-002314, CSCv7|9.2, CSCv7|9.4, Rule-ID|SV-204577r603261_rule, STIG-ID|RHEL-07-040100, Vuln-ID|V-204577

Plugin: Unix

Control ID: d0adfa6aa7227266117f401f8119d594f94e8986d3b2b34589f59df836b6d062