3.5.3.2.4 Ensure iptables firewall rules exist for all open ports

Audit

Run the following command to determine open ports:

# ss -4tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:68 *:*
udp UNCONN 0 0 *:123 *:*
tcp LISTEN 0 128 *:22 *:*

Run the following command to determine firewall rules:

# iptables -L INPUT -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 state NEW

Verify all open ports listening on non-localhost addresses have at least one firewall rule. The last line identified by the "tcp dpt:22 state NEW" identifies it as a firewall rule for new connections on tcp port 22.

Remediation

For each port identified in the audit which does not have a firewall rule establish a proper rule for accepting inbound connections:

# iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT