Skip to content

3.5.2.7 Ensure nftables outbound and established connections are configured

Audit#

Run the following commands and verify all rules for established incoming connections match site policy: site policy: 

# nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'

Output should be similar to: 

ip protocol tcp ct state established accept
ip protocol udp ct state established accept
ip protocol icmp ct state established accept

Run the folllowing command and verify all rules for new and established outbound connections match site policy 

# nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'

Output should be similar to: 

ip protocol tcp ct state established,related,new accept
ip protocol udp ct state established,related,new accept
ip protocol icmp ct state established,related,new accept

Remediation#

Configure nftables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections: 

# nft add rule inet filter input ip protocol tcp ct state established accept
# nft add rule inet filter input ip protocol udp ct state established accept
# nft add rule inet filter input ip protocol icmp ct state established accept
# nft add rule inet filter output ip protocol tcp ct state new,related,established accept
# nft add rule inet filter output ip protocol udp ct state new,related,established accept
# nft add rule inet filter output ip protocol icmp ct state new,related,established accept