Versions Compared

Old Version 3

changes.mady.by.user Amanda McGown

Saved on

compared with

New Version Current

changes.mady.by.user Amanda McGown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS Hardened Images® (AWS)

CIS Hardened Images (Azure)

CIS Hardened Images (Google Cloud Platform)

CIS Hardened Images (Oracle)

Product Version

CIS Linux Hardened Images v3.0.0+

DateUse /date to insert current date

Problem

Info

I am using a newly released v3.0.0 CIS Linux Benchmark-based Hardened Image and now I am having port errors, connectivity issues, and/ or Firewall concerns.

Solution

Most operating systems have or will be deprecating iptables. In alignment with this, CIS Benchmarks have been updated to provide secure configuration guidance for the use of nftables in place of iptables.

CIS Hardened Images are hardened against the corresponding CIS Benchmark. As CIS Benchmarks are updated, CIS Hardened Images will follow suit and update CIS Hardened Images to align with the latest release of the corresponding CIS Benchmark. With this update to the latest release, so will come the movement from the use of iptables to nftables.

If this transition in a new CIS Hardened Image is resulting in integration issues, temporary solutions are below. For security best practice, migration to nftables should be completed.

  1. Opt instead to use iptables-nft. This is a bridge between iptables-legacy and nftables. It will allow you to use your legacy firewall rules. Please note that while iptables-nft can supplant iptables-legacy, ideally you would not want to use them simultaneously. Please consider this option while using the existing legacy rules you provided. iptables:

  2. Migrate/downgrade from nftables to iptables-legacy for this Benchmark. There are a few guides out there on how to accomplish this downgrade. From there you should be able to implement your existing firewall rules without having to make additional changes.

Additional Insights:

The default ruleset can be viewed by running:

Code Block
$ nft list ruleset

and this will show the set defaults that only open ICMP, IGMP, and port 22(ssh) from anywhere. To open an ECS agent port to all traffic for ECS testing you could craft a rule that would something to the effect of:

Code Block
$ nft add rule inet filter input tcp dport 51678 accept
$ nft add rule inet filter input iifname "ecs-bridge" ip daddr 127.0.0.0/8 tcp dport 51679 counter accept
$ nft add rule inet filter input iifname "docker0" ip daddr 127.0.0.0/8 tcp dport 51679 counter accept

Alternative you could remove every rule for testing to confirm cause with:

Code Block
$ nft flush ruleset

from there you would have to restart the nft service or system.

Note

Customers can migrate their existing firewall rules on their own using iptables-translate. This command can be run in any Linux environment running iptables or even on Windows using WSL2.

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Keywords; Hardened Images nftables iptables linux

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2024

Center for Internet Security®

Privacy Policy

Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Jira Legacy
serverSystem Jira
serverIdb90ca2a8-9df7-3869-89db-c424866c1b16
keySUPPORT-33252

Jira Legacy
serverSystem Jira
serverIdb90ca2a8-9df7-3869-89db-c424866c1b16
keySUPPORT-33252

Created by

Amanda McGown Erin Dayton

Reviewed by

SBP Product Technical Support Team (Amanda McGown Allan Cornwell Andrew Dannenberger Chris Boldiston Nick Romanzo Parami Swenson)

Approved by

Amanda McGown Allan Cornwell Chris Boldiston

Remove by

Add. details

https://cisecurity.atlassian.net/wiki/x/JwB9yw
provided by Erin Dayton