Check: RHEL-06-000320
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000320
(in versions v2 r2 through v1 r18)
Title
The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets. (Cat II impact)
Discussion
In "iptables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
Check Content
Run the following command to ensure the default "FORWARD" policy is "DROP": # iptables -nvL | grep -i forward Chain FORWARD (policy DROP 0 packets, 0 bytes) If the default policy for the FORWARD chain is not set to DROP, this is a finding.
Fix Text
To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in "/etc/sysconfig/iptables": :FORWARD DROP [0:0]
Additional Identifiers
Rule ID: SV-218060r603264_rule
Vulnerability ID: V-218060
Group Title: SRG-OS-000480
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-001109 |
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). |