3.5.3.2.3 Ensure iptables rules exist for all open ports - PPSM CLSA and vulnerability assessments.

Information

Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.

Rationale:

Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.

Note:

Changing firewall settings while connected over network can result in being locked out of the system.

The remediation command opens up the port to traffic from all sources. Consult iptables documentation and set any restrictions in compliance with site policy.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections:

# iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-17(1), 800-53|CM-7b., CCI|CCI-000382, CCI|CCI-002314, CSCv7|9.2, CSCv7|9.4, Rule-ID|SV-204577r603261_rule, STIG-ID|RHEL-07-040100

Plugin: Unix

Control ID: 65cc43be524a8f07bc450494450b222d688204fc91257f58f13722800ba600a5