3.2.7 Ensure Reverse Path Filtering is enabled (Scored)

Level 1 - Server
Level 1 - Workstation 

Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set).

Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.

Run the following command and verify output matches:

# sysctl net.ipv4.conf.all.rp_filter 
net.ipv4.conf.all.rp_filter = 1 
# sysctl net.ipv4.conf.default.rp_filter 
net.ipv4.conf.default.rp_filter = 1

Set the following parameter in the /etc/sysctl.conf file:

net.ipv4.conf.all.rp_filter = 1 
net.ipv4.conf.default.rp_filter = 1

Run the following commands to set the active kernel parameters:

# sysctl -w net.ipv4.conf.all.rp_filter=1 
# sysctl -w net.ipv4.conf.default.rp_filter=1 
# sysctl -w net.ipv4.route.flush=1
  • centos7/3/2/7.txt
  • Last modified: 2017/05/04 17:22
  • by Piotr K┼éoczewski