Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

Product Name

CIS Hardened Images® (AWS)

Product Version

Date

Use /date to insert current date

Problem

I am using a newly released v3.0.0 CIS Linux Benchmark-based Hardened Image and now I am having port errors, connectivity issues, and/ or Firewall concerns.

Solution

Most operating systems have or will be deprecating iptables. In alignment with this, CIS Benchmarks have been updated to provide secure configuration guidance for the use of nftables in place of iptables.

CIS Hardened Images are hardened against the corresponding CIS Benchmark. As CIS Benchmarks are updated, CIS Hardened Images will follow suit and update CIS Hardened Images to align with the latest release of the corresponding CIS Benchmark. With this update to the latest release, so will come the movement from the use of iptables to nftables.

If this transition in a new CIS Hardened Image is resulting in integration issues, temporary solutions are below. For security best practice, migration to nftables should be completed.

  1. Opt instead to use iptables-nft. This is a bridge between iptables-legacy and nftables. It will allow you to use your legacy firewall rules. Please note that while iptables-nft can supplant iptables-legacy, ideally you would not want to use them simultaneously. Please consider this option while using the existing legacy rules you provided. iptables:

  2. Migrate/downgrade from nftables to iptables-legacy for this Benchmark. There are a few guides out there on how to accomplish this downgrade. From there you should be able to implement your existing firewall rules without having to make additional changes.

Additional Insights:

The default ruleset can be viewed by running:

$ nft list ruleset

and this will show the set defaults that only open ICMP, IGMP, and port 22(ssh) from anywhere. To open an ECS agent port to all traffic for ECS testing you could craft a rule that would something to the effect of:

$ nft add rule inet filter input tcp dport 51678 accept
$ nft add rule inet filter input iifname "ecs-bridge" ip daddr 127.0.0.0/8 tcp dport 51679 counter accept
$ nft add rule inet filter input iifname "docker0" ip daddr 127.0.0.0/8 tcp dport 51679 counter accept

Alternative you could remove every rule for testing to confirm cause with:

$ nft flush ruleset

from there you would have to restart the nft service or system.

Customers can migrate their existing firewall rules on their own using iptables-translate. This command can be run in any Linux environment running iptables or even on Windows using WSL2.

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Keywords; Hardened Images nftables iptables

Content by Label

Copyright © 2024

Center for Internet Security®

Privacy Policy

  • No labels