linux.(05)iptables.adoc

Telekom Security Compliance Framework

Table of Contents

• Linux OS for Servers - 5 IPTables
  • Req 48: If iptables is used, policies for loopback traffic must be configured.
  • Req 49: If iptables is used, policies for outbound and established connections must be configured.
  • Req 50: If iptables is used, policies must exist for all ports in listening state.
  • Req 51: If iptables is used, the default policy must be configured to drop all traffic.
  • Content

Linux OS for Servers - 5 IPTables

To restrict the reachability of listening TCP and UDP services on a system (as required with Req. 2) it is recommended to use IPTables. TCP Wrapper, as another solution for traffic control, has some major drawbacks and cannot be recommended.

The following requirements are a minimal setup for IPTables. If needed additional rules must be con-figured.

Req 48: If iptables is used, policies for loopback traffic must be configured.

Loopback traffic is used between server processes. A policy for traffic to the loopback network (127.0.0.0/8) must be configured for all other network interfaces.

Motivation: To prevent spoofing attacks, the loopback netwSLES 15t be protected from such malicious traffic.

Implementation (Ubuntu LTS (14.04/16.04/18.04), RHEL 7.x, SLES 15)

   <tbd>implementation

Compliance Check (Ubuntu LTS (14.04/16.04/18.04), RHEL 7.x, SLES 15)

   <tbd>Compliance Check

Req 49: If iptables is used, policies for outbound and established connections must be configured.

For outbound and established connections iptables policies must be configured.

Motivation: Without rules for outbound and established connections all packets will be dropped by the default iptables policy which will prevent network usage.

Implementation (Ubuntu LTS (14.04/16.04/18.04), RHEL 7.x, SLES 15)

   <tbd>implementation

Compliance Check (Ubuntu LTS (14.04/16.04/18.04), RHEL 7.x, SLES 15)

   <tbd>Compliance Check

Req 50: If iptables is used, policies must exist for all ports in listening state.

It is necessary to configure iptables rules for all available services (ports) on a server. If a complete reachability is not needed (for example for management services like SSH) a restriction to source IP addresses or IP networks must be implemented.

Motivation: A restriction of reachability of a network service minimizes the possible attack vector.

Implementation (Ubuntu LTS (14.04/16.04/18.04), RHEL 7.x, SLES 15)

   <tbd>implementation

Compliance Check (Ubuntu LTS (14.04/16.04/18.04), RHEL 7.x, SLES 15)

   <tbd>Compliance Check

Req 51: If iptables is used, the default policy must be configured to drop all traffic.

To reject connections to unconfigured network services, the default policy of iptables must be con-figured to DROP all packets not caught by other policies.

Motivation: Uncontrolled access to network services is possible without an iptables default DROP policy.

Implementation (Ubuntu LTS (14.04/16.04/18.04), RHEL 7.x, SLES 15)

   <tbd>implementation

Compliance Check (Ubuntu LTS (14.04/16.04/18.04), RHEL 7.x, SLES 15)

   <tbd>Compliance Check

---

Content

1. Introduction

2. Basic Hardening

3. Logging

4. Pluggable Authentication Modules

5. IPTables

6. Mandatory Access Control

7. Regular Compliance Checks