3.6.3 Ensure loopback traffic is configured (Scored)

Level 1 - Server
Level 1 - Workstation 

Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).

Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure.

Run the following commands and verify output includes the listed rules in order (packet and byte counts may differ):

# iptables -L INPUT -v -n 
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 

# iptables -L OUTPUT -v -n 
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

Run the following commands to implement the loopback rules:

# iptables -A INPUT -i lo -j ACCEPT 
# iptables -A OUTPUT -o lo -j ACCEPT 
# iptables -A INPUT -s 127.0.0.0/8 -j DROP

Changing firewall settings while connected over network can result in being locked out of the system.
Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well.

  • ubuntu1604/3/6/3.txt
  • Last modified: 2017/05/02 14:13
  • by Piotr Kłoczewski