3.5.2.2 Ensure loopback traffic is configured - INPUT

Information

Configure the loopback interface to accept traffic. Configure all other interfaces to deny
traffic to the loopback network (127.0.0.0/8).

Rationale:

Loopback traffic is generated between processes on machine and is typically critical to
operation of the system. The loopback interface is the only place that loopback network
(127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this
network as an anti-spoofing measure.

Solution

Run the following commands to implement the loopback rules:

# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT
# iptables -A INPUT -s 127.0.0.0/8 -j DROP

Notes:

Changing firewall settings while connected over network can result in being locked out of
the system.

Remediation will only affect the active system firewall, be sure to configure the default
policy in your firewall management to apply on boot as well.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.1, CSCv7|9.4

Plugin: Unix

Control ID: 8ad16597383c4b7b1c4713c6bef05a008fcd855a488b967f10dfac3c48f7128e