Skip to content

3.5.2.6 Ensure nftables loopback traffic is configured

Audit#

Run the following commands to verify that the loopback interface is configured: 

# nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
iif "lo" accept

# nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop

IF IPv6 is enabled on the system:

Run the following command to verify that the IPv6 loopback interface is configured: 

# nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
ip6 saddr ::1 counter packets 0 bytes 0 drop

Remediation#

Run the following commands to implement the loopback rules: 

# nft add rule inet filter input iif lo accept
# nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop

IF IPv6 is enabled on the system:

Run the following command to implement the IPv6 loopback rule: 

# nft add rule inet filter input ip6 saddr ::1 counter drop