Detections
Analytics

3.3.1.1 Ensure net.ipv4.ip_forward is configured

Information

The net.ipv4.ip_forward flag tells the system whether it can forward IPv4 packets or not.

Note:

 - If this system is a router this recommendation is not applicable.
 - If net.ipv4.conf.all.forwarding=0 and net.ipv4.conf.default.forwarding=0 are configured, this recommendation may be skipped.

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Setting net.ipv4.ip_forward to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will not be able to forward IPv4 packets.

Solution

- Review all files being used by systemd sysctl and comment out or remove all net.ipv4.ip_forward lines that are not net.ipv4.ip_forward=0

Example script:

#!/usr/bin/env bash

{
 l_option="net.ipv4.ip_forward" l_value="0"
 l_grep="${l_option//./(\\.|\\/)}" a_files=()
 l_systemdsysctl="$(readlink -e /lib/systemd/systemd-sysctl \
 || readlink -e /usr/lib/systemd/systemd-sysctl)"
 l_ufw_file="$([ -f /etc/default/ufw ] && \
 awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
 [ -f "$(readlink -e "$l_ufw_file")" ] && \
 a_files+=("$l_ufw_file"); a_files+=("/etc/sysctl.conf")
 while IFS= read -r l_fname; do
 l_file="$(readlink -e "${l_fname//# /}")"
 [ -n "$l_file" ] && ! grep -Psiq -- '(^|\h+)'"$l_file"'\b' \
 <<< "${a_files[*]}" && a_files+=("$l_file")
 done < <("$l_systemdsysctl" --cat-config | tac | \
 grep -Pio -- '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
 for l_file in "${a_files[@]}"; do
 grep -Poi -- '\h*'"$l_grep"'\h*=\h*\H+\b' "$l_file" \
 | grep -Pivq -- '^\h*'"$l_grep"'\h*=\h*'"$l_value"'\b' && \
 sed -ri '/^\s*'"$l_grep"'\s*=\s*(1[0-9]*)/s/^/# /' "$l_file"
 done
} <xhtml:ol start="2"> - Create or edit a file in the /etc/sysctl.d/ directory ending inconf and edit or add the following line:

net.ipv4.ip_forward = 0

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.ip_forward = 0" >> /etc/sysctl.d/60-ipv4_sysctl.conf

Note: If the UFW file was the first file listed in the audit, the entry will be commented out as part of the first step, however updating Uncomplicated Firewall (UFW) may update this change. In this case the updated entry will supersede the entry being created as part of this step.

<xhtml:ol start="3"> - Run the following command to load all sysctl configuration filles:

# sysctl --system

Impact:

IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router.

Many Cloud Service Provider (CSP) hosted systems require IP forwarding to be enabled. If the system is running on a CSP platform, this requirement should be reviewed before disabling IP forwarding.

See Also

https://workbench.cisecurity.org/benchmarks/23600

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: c27c83c9b843a21252d99555e538ead805da46c8f5252cca01be54e1b389d9ed