Skip to content

4.3.7 Ensure nftables outbound and established connections are configured

Audit#

Run the following commands and verify all rules for established incoming connections match site policy: site policy: 

# nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp) ct state'

Output should be similar to: 

ip protocol tcp ct state established accept
ip protocol udp ct state established accept

Run the folllowing command and verify all rules for new and established outbound connections match site policy 

# nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp) ct state'

Output should be similar to: 

ip protocol tcp ct state established,related,new accept
ip protocol udp ct state established,related,new accept

Remediation#

Configure nftables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections: 

# nft add rule inet filter input ip protocol tcp ct state established accept
# nft add rule inet filter input ip protocol udp ct state established accept
# nft add rule inet filter output ip protocol tcp ct state new,related,established accept
# nft add rule inet filter output ip protocol udp ct state new,related,established accept