Skip to content

4.3.6 Ensure nftables loopback traffic is configured

hide: - toc title: 4.3.6 Ensure nftables loopback traffic is configured description: Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network tags: - Level 1 - Workstation - Server - Host Based Firewall - Configure nftables - Automated - 4.4 Implement and Manage a Firewall on Servers - 4.5 Implement and Manage a Firewall on End-User Devices - IG1 - IG2 - IG3 - T1562 - T1562.004 - TA0005

Audit#

Run the following commands to verify that the loopback interface is configured: Run the following command to verify the loopback interface is configured to accept network traffic: 

# nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'

Example output: 

iif "lo" accept

Run the following command to verify network traffic from an iPv4 loopback interface is configured to drop: 

# nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'

Example output: 

ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop

- IF - IPv6 is enabled on the system: Run the following command to verify that the IPv6 loopback interface is configured to drop: 

# nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'

Example output: 

ip6 saddr ::1 counter packets 0 bytes 0 drop

Remediation#

Run the following commands to implement the loopback rules: 

# nft add rule inet filter input iif lo accept
# nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop

- IF - IPv6 is enabled on the system: Run the following command to implement the IPv6 loopback rule: 

# nft add rule inet filter input ip6 saddr ::1 counter drop