/etc/sysctl.conf. Once the file is editied please run sysctl -p to enable those settings.
| Complete | Requirement | Action | Service/Config |
|---|---|---|---|
| Should | Set | net.ipv4.ip_forward = 0[1] | |
| Should | Set | net.ipv4.conf.all.send_redirects = 0[2] | |
| Should | Set | net.ipv4.conf.default.send_redirects = 0[3] | |
| Must | Set | net.ipv4.conf.all.accept_redirects = 0[4] | |
| Must | Set | net.ipv4.icmp_echo_ignore_broadcasts = 1[5] | |
| Must | Set | net.ipv4.icmp_ignore_bogus_error_responses = 1[6] | |
| Must | Set | net.ipv4.tcp_syncookies = 1[7] | |
| Must | Set | net.ipv4.conf.all.log_martians = 1[8] | |
| Must | Set | net.ipv4.conf.default.log_martians = 1[9] | |
| Must | Set | net.ipv4.conf.all.accept_source_route = 0[10] | |
| Must | Set | net.ipv4.conf.default.accept_source_route = 0[11] | |
| Must | Set | net.ipv4.conf.all.rp_filter = 1[12] | |
| Must | Set | net.ipv4.conf.default.rp_filter = 1[13] | |
| Must | Set | net.ipv4.conf.all.accept_redirects = 0[14] | |
| Must | Set | net.ipv4.conf.default.accept_redirects = 0[15] | |
| Must | Set | net.ipv4.conf.all.secure_redirects = 0[16] | |
| Must | Set | net.ipv4.conf.default.secure_redirects = 0[17] |
/etc/sysconfig/iptables. To enable these rules restart iptables with service iptables restart
| Complete | Requirement | Action | Config |
|---|---|---|---|
| Must | Set | *filter :INPUT DROP [] :FORWARD ACCEPT [] :OUTPUT ACCEPT [][18] | |
| Should | Set | -A INPUT -p icmp -j ACCEPT[19] | |
| Should | Set | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT[20] | |
| Should | Use | -A INPUT -p tcp -m tcp --dport [21] | |
| Should | Use | -A INPUT -p udp -m udp --dport [22] | |
| Should | Use | -A INPUT -p tcp -m tcp -s $IPADDRES/$NETMASK --dport [23] | |
| Should | Use | -A INPUT -p udp -m udp $IPADDRES/$NETMASK --dport [24] | |
| Must | Set | -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT[25] | |
| Must | Set | -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT[26] | |
| Must | Set | -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j REJECT[27] | |
| Must | Set | -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT[28] | |
| Must | Set | -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT[29] | |
| Must | Set | -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT[30] | |
| Must | Set | -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j REJECT[31] | |
| Must | Set | -A INPUT -p tcp --tcp-flags PSH,ACK PSH -j REJECT[32] | |
| Must | Set | -A INPUT -p tcp --tcp-flags ACK,URG URG -j REJECT[33] | |
| Should not | Use | -j DROP[34] | |
| Should | Set | -A INPUT -j LOG --log-prefix "FW-REJECT "[35] | |
| Must | Set | -A INPUT -j REJECT --reject-with icmp-host-prohibited[36] |
[1] Unless this host serves as a network device. Do not pass traffic between networks
[2] Unless this host serves as a network device. Do not act like a network device.
[3] Unless this host serves as a network device. Do not act like a network device.
[4] Don't allow outsiders to alter routing tables.
[5] Prevents joining a smurf attack
[6] Protection from bad icmp error messages
[7] enables syncookies for protection against syn flood attacks
[8] Log spoofed, source routed and redirect packets
[9] Log spoofed, source routed and redirect packets
[10] Don't allow source routed packets
[11] Don't allow source routed packets
[12] Enable reverse path filtering
[13] Enable reverse path filtering
[14] Don't allow outsiders to alter routing tables.
[15] Don't allow outsiders to alter routing tables.
[16] Don't allow outsiders to alter routing tables.
[17] Don't allow outsiders to alter routing tables.
[18] First 4 lines
[19] Disable for more security but more difficult network troubleshooting.
[20] Disabling will break many network protocols, like tcp. Disable only if you know what you are doing.
[21]
To open specific tcp ports to the world. The example above should replace $PORT with a tcp port number, like 80 for http.
[22]
To open udp ports to the world. The example above should replace $PORT with a tcp port number, like 161 for snmp.
[23]
To open tcp ports to specific hosts or networks. Using just IP address without a netmask is proper. If a network address is defined, netmask is required. The example above should replace $PORT with a tcp port number, like 80 for http.
[24]
To open udp ports to specific hosts or networks. Using just IP address without a netmask is proper. If a network address is defined, netmask is required. The example above should replace $PORT with a tcp port number, like 161 for snmp.
[25] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[26] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[27] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[28] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[29] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[30] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[31] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[32] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[33] This combination of these TCP flags is not defined. By accepting packets from them, the results may be unexpected.
[34] This flag goes against some known standards and makes troubleshooting more difficult. The security added is debatable.
[35] Before last line
[36] As last line