3.4.4.2.4 Ensure iptables default deny firewall policy

Information

A default deny all policy on connections ensures that any unconfigured network usage will be rejected.

With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.

Note: Changing firewall settings while connected over network can result in being locked out of the system.

Solution

Run the following commands to implement a default DROP policy:

# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Unix

Control ID: 325a2d01a5d11b5944ff8d05e248bd245232a322ded2480e94b0b34d8fbf5da3