Skip to content

3.5.2.5 Ensure nftables base chains exist

Audit#

Run the following commands and verify that base chains exist for INPUT. 

# nft list ruleset | grep 'hook input'
type filter hook input priority 0;

Run the following commands and verify that base chains exist for FORWARD. 

# nft list ruleset | grep 'hook forward'
type filter hook forward priority 0;

Run the following commands and verify that base chains exist for OUTPUT. 

# nft list ruleset | grep 'hook output'
type filter hook output priority 0;

Remediation#

Run the following command to create the base chains: 

# nft create chain inet <table name> <base chain name> { type filter hook <(input|forward|output)> priority 0 \; }

Example: 

# nft create chain inet filter input { type filter hook input priority 0 \; }
# nft create chain inet filter forward { type filter hook forward priority 0 \; }
# nft create chain inet filter output { type filter hook output priority 0 \; }