4.4.3.3 Ensure ip6tables outbound and established connections are configured

Audit

Run the following command and verify all rules for new outbound, and established connections match site policy:

# ip6tables -L -v -n

- OR - Verify IPv6 is disabled: Run the following script. Output will confirm if IPv6 is enabled on the system.

#!/usr/bin/env bash
{
l_ipv6_enabled="is"
! grep -Pqs -- '^\h*0\b' /sys/module/ipv6/parameters/disable && l_ipv6_enabled="is not"
if sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\b" && \
sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\b"; then
l_ipv6_enabled="is not"
fi
echo -e " - IPv6 $l_ipv6_enabled enabled on the system"
}

Remediation

Configure iptables in accordance with site policy. The following commands will implement a policy to allow all outbound connections and all established connections:

# ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
# ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
# ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
# ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT