Skip to content

4.4.3.1 Ensure ip6tables default deny firewall policy

Audit#

Run the following command and verify that the policy for the INPUT, OUTPUT, and FORWARD chains is DROP or REJECT: 

# ip6tables -L
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)

- OR - Verify IPv6 is disabled: Run the following script. Output will confirm if IPv6 is enabled on the system. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/usr/bin/bash
#!/usr/bin/env bash
{
l_ipv6_enabled="is"
! grep -Pqs -- '^\h*0\b' /sys/module/ipv6/parameters/disable && l_ipv6_enabled="is not"
if sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\b" && \
sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\b"; then
l_ipv6_enabled="is not"
fi
echo -e " - IPv6 $l_ipv6_enabled enabled on the system"
}

Remediation#

- IF - IPv6 is enabled on your system: Run the following commands to implement a default DROP policy: 

# ip6tables -P INPUT DROP
# ip6tables -P OUTPUT DROP
# ip6tables -P FORWARD DROP