Skip to content

3.5.2.10 Ensure nftables rules are permanent

Audit#

Run the following commands to verify that input, forward, and output base chains are configured to be applied to a nftables ruleset on boot:

Run the following command to verify the input base chain: 

# [ -n "$(grep -E '^\s*include' /etc/nftables.conf)" ] && awk '/hook input/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' /etc/nftables.conf)

Output should be similar to: 

 type filter hook input priority 0; policy drop;

 # Ensure loopback traffic is configured
 iif "lo" accept
 ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop
 ip6 saddr ::1 counter packets 0 bytes 0 drop

 # Ensure established connections are configured
 ip protocol tcp ct state established accept
 ip protocol udp ct state established accept
 ip protocol icmp ct state established accept

 # Accept port 22(SSH) traffic from anywhere
 tcp dport ssh accept

 # Accept ICMP and IGMP from anywhere
 icmpv6 type { destination-unreachable, packet-too-big, timeexceeded, parameter-problem, mld-listener-query, mld-listener-report, mldlistener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, ndneighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listenerreport } accept

Review the input base chain to ensure that it follows local site policy

Run the following command to verify the forward base chain: 

# [ -n "$(grep -E '^\s*include' /etc/nftables.conf)" ] && awk '/hook forward/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' /etc/nftables.conf)

Output should be similar to: 

 # Base chain for hook forward named forward (Filters forwarded network packets)
 chain forward {
 type filter hook forward priority 0; policy drop;
 }

Review the forward base chain to ensure that it follows local site policy.

Run the following command to verify the forward base chain: 

# [ -n "$(grep -E '^\s*include' /etc/nftables.conf)" ] && awk '/hook output/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' /etc/nftables.conf)

Output should be similar to: 

 # Base chain for hook output named output (Filters outbound network packets)
 chain output {
 type filter hook output priority 0; policy drop;

 # Ensure outbound and established connections are configured
 ip protocol tcp ct state established,related,new accept
 ip protocol tcp ct state established,related,new accept
 ip protocol udp ct state established,related,new accept
 ip protocol icmp ct state established,related,new accept
 }

Review the output base chain to ensure that it follows local site policy.

Remediation#

Edit the /etc/nftables.conf file and un-comment or add a line with include <Absolute path to nftables rules file> for each nftables file you want included in the nftables ruleset on boot

Example: 

# vi /etc/nftables.conf

Add the line: 

include "/etc/nftables.rules"