Information
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network
Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.
Solution
Run the following script to implement the loopback rules:
#!/usr/bin/env bash
{
l_hbfw=""
if systemctl is-enabled firewalld.service | grep -q 'enabled' && systemctl is-enabled nftables.service | grep -q 'enabled'; then
echo -e "
- Error - Both FirewallD and NFTables are enabled
- Please follow recommendation: \"Ensure a single firewall configuration utility is in use\""
elif ! systemctl is-enabled firewalld.service | grep -q 'enabled' && ! systemctl is-enabled nftables.service | grep -q 'enabled'; then
echo -e "
- Error - Neither FirewallD or NFTables is enabled
- Please follow recommendation: \"Ensure a single firewall configuration utility is in use\""
else
if systemctl is-enabled firewalld.service | grep -q 'enabled' && ! systemctl is-enabled nftables.service | grep -q 'enabled'; then
echo -e "
- FirewallD is in use on the system" && l_hbfw="fwd"
elif ! systemctl is-enabled firewalld.service | grep -q 'enabled' && systemctl is-enabled nftables.service | grep -q 'enabled'; then
echo -e "
- NFTables is in use on the system" && l_hbfw="nft"
fi
l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hooks+inputs+/,/}s*(#.*)?$/' | grep -P -- 'iph+saddr')"
if ! nft list ruleset | awk '/hooks+inputs+/,/}s*(#.*)?$/' | grep -Pq -- 'H+h+"lo"h+accept'; then
echo -e "
- Enabling input to accept for loopback address"
if [ "$l_hbfw" = "fwd" ]; then
firewall-cmd --permanent --zone=trusted --add-interface=lo
firewall-cmd --reload
elif [ "$l_hbfw" = "nft" ]; then
nft add rule inet filter input iif lo accept
fi
fi
if ! grep -Pq -- 'iph+saddrh+127.0.0.0/8h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< "$l_ipsaddr" && ! grep -Pq -- 'iph+daddrh+!=h+127.0.0.1h+iph+saddrh+127.0.0.1h+drop' <<< "$l_ipsaddr"; then
echo -e "
- Setting IPv4 network traffic from loopback address to drop"
if [ "$l_hbfw" = "fwd" ]; then
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
firewall-cmd --reload
elif [ "$l_hbfw" = "nft" ]; then
nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop
fi
fi
if grep -Pq -- '^h*0h*$' /sys/module/ipv6/parameters/disable; then
l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')"
if ! grep -Pq 'ip6h+saddrh+::1h+(counterh+packetsh+d+h+bytesh+d+h+)?drop' <<< "$l_ip6saddr" && ! grep -Pq -- 'ip6h+daddrh+!=h+::1h+ip6h+saddrh+::1h+drop' <<< "$l_ip6saddr"; then
echo -e "
- Setting IPv6 network traffic from loopback address to drop"
if [ "$l_hbfw" = "fwd" ]; then
firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
firewall-cmd --reload
elif [ "$l_hbfw" = "nft" ]; then
nft add rule inet filter input ip6 saddr ::1 counter drop
fi
fi
fi
fi
}