Set nftables Configuration for Loopback Traffic
Description
Configure the loopback interface to accept traffic.
Configure all other interfaces to deny traffic to the loopback
network.
Rationale
Loopback traffic is generated between processes on machine and is
typically critical to operation of the system. The loopback interface
is the only place that loopback network traffic should be seen,
all other interfaces should ignore traffic on this network as an
anti-spoofing measure.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'nftables' 2>/dev/null | grep -q installed; then
# Implement the loopback rules:
nft add rule inet filter input iif lo accept
nft insert rule inet filter input ip saddr 127.0.0.0/8 counter drop
# Check IPv6 is disabled, if false implement IPv6 loopback rules
[ -n "$passing" ] && passing=""
[ -z "$(grep "^\s\*linux" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1)" ] && passing="true"
grep -Eq "^\s\*net\.ipv6\.conf\.all\.disable\_ipv6\s\*=\s\*1\b(\s+#.\*)?$" \
/etc/sysctl.conf /etc/sysctl.d/\*.conf && \
grep -Eq "^\s\*net\.ipv6\.conf\.default\.disable\_ipv6\s\*=\s\*1\b(\s+#.\*)?$" \
/etc/sysctl.conf /etc/sysctl.d/\*.conf && sysctl net.ipv6.conf.all.disable\_ipv6 | \
grep -Eq "^\s\*net\.ipv6\.conf\.all\.disable\_ipv6\s\*=\s\*1\b(\s+#.\*)?$" && \
sysctl net.ipv6.conf.default.disable\_ipv6 | \
grep -Eq "^\s\*net\.ipv6\.conf\.default\.disable\_ipv6\s\*=\s\*1\b(\s+#.\*)?$" && passing="true"
# Is IPv6 Disabled? (true/false)
if [ "$passing" = false ] ; then
nft add rule inet filter input ip6 saddr ::1 counter drop
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package\_facts:
manager: auto
tags:
- PCI-DSS-Req-1.4.1
- medium\_severity
- set\_nftables\_loopback\_traffic
- name: Implement Loopback Rules
ansible.builtin.command: nft add rule inet filter input iif lo accept
when: '"nftables" in ansible\_facts.packages'
tags:
- PCI-DSS-Req-1.4.1
- medium\_severity
- set\_nftables\_loopback\_traffic
- name: Create Rule to Drop Input IP Address from Loopback
ansible.builtin.command: nft insert rule inet filter input ip saddr 127.0.0.0/8
counter drop
when: '"nftables" in ansible\_facts.packages'
tags:
- PCI-DSS-Req-1.4.1
- medium\_severity
- set\_nftables\_loopback\_traffic
- name: Check if IPv6 is Disabled in grub Configuration
ansible.builtin.shell: |
[ -z "$(grep "^\s\*linux" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1)" ]
register: ipv6\_status
when: '"nftables" in ansible\_facts.packages'
tags:
- PCI-DSS-Req-1.4.1
- medium\_severity
- set\_nftables\_loopback\_traffic
- name: Check sysctl value of net.ipv6.conf.all.disable\_ipv6
ansible.posix.sysctl:
name: net.ipv6.conf.all.disable\_ipv6
state: present
value: '1'
check\_mode: true
register: sysctl\_ipv6\_all
when: '"nftables" in ansible\_facts.packages'
tags:
- PCI-DSS-Req-1.4.1
- medium\_severity
- set\_nftables\_loopback\_traffic
- name: Check sysctl value of net.ipv6.conf.default.disable\_ipv6
ansible.posix.sysctl:
name: net.ipv6.conf.default.disable\_ipv6
state: present
value: '1'
check\_mode: true
register: sysctl\_ipv6\_default
when: '"nftables" in ansible\_facts.packages'
tags:
- PCI-DSS-Req-1.4.1
- medium\_severity
- set\_nftables\_loopback\_traffic
- name: Implement IPv6 loopback rules
ansible.builtin.command: nft add rule inet filter input ip6 saddr ::1 counter drop
when:
- '"nftables" in ansible\_facts.packages'
- ipv6\_status.rc == 0 or sysctl\_ipv6\_all.found > 0 or sysctl\_ipv6\_default.found
> 0
tags:
- PCI-DSS-Req-1.4.1
- medium\_severity
- set\_nftables\_loopback\_traffic
Warning
Changing firewall settings while connected over network can
result in being locked out of the system.
Keep in mind the remediation makes changes only to the running
system, in order to keep the changes need to take care to save
the nft settings to the relvant configutation files.
