CIS Hardened Images' transition from iptables to nftables

Product Name

CIS Hardened Images® (AWS)

CIS Hardened Images (Azure)

CIS Hardened Images (Google Cloud Platform)

CIS Hardened Images (Oracle)

Product Version

CIS Linux Hardened Images v3.0.0+

Date

May 22, 2024

Problem

I am using a newly released v3.0.0 CIS Linux Benchmark-based Hardened Image and now I am having port errors, connectivity issues, and/ or Firewall concerns.

Solution

Most operating systems have or will be deprecating iptables. In alignment with this, CIS Benchmarks have been updated to provide secure configuration guidance for the use of nftables in place of iptables.

CIS Hardened Images are hardened against the corresponding CIS Benchmark. As CIS Benchmarks are updated, CIS Hardened Images will follow suit and update CIS Hardened Images to align with the latest release of the corresponding CIS Benchmark. With this update to the latest release, so will come the movement from the use of iptables to nftables.

If this transition in a new CIS Hardened Image is resulting in integration issues, temporary solutions are below. For security best practice, migration to nftables should be completed.

Opt instead to use iptables-nft. This is a bridge between iptables-legacy and nftables. It will allow you to use your legacy firewall rules. Please note that while iptables-nft can supplant iptables-legacy, ideally you would not want to use them simultaneously. Please consider this option while using the existing legacy rules you provided. iptables:
- iptables: The two variants and their relationship with nftables
- https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall
Migrate/downgrade from nftables to iptables-legacy for this Benchmark. There are a few guides out there on how to accomplish this downgrade. From there you should be able to implement your existing firewall rules without having to make additional changes.

Additional Insights:

The default ruleset can be viewed by running:

$ nft list ruleset

and this will show the set defaults that only open ICMP, IGMP, and port 22(ssh) from anywhere. To open an ECS agent port to all traffic for ECS testing you could craft a rule that would something to the effect of:

$ nft add rule inet filter input tcp dport 51678 accept
$ nft add rule inet filter input iifname "ecs-bridge" ip daddr 127.0.0.0/8 tcp dport 51679 counter accept
$ nft add rule inet filter input iifname "docker0" ip daddr 127.0.0.0/8 tcp dport 51679 counter accept

Alternative you could remove every rule for testing to confirm cause with:

$ nft flush ruleset

from there you would have to restart the nft service or system.

Customers can migrate their existing firewall rules on their own using iptables-translate. This command can be run in any Linux environment running iptables or even on Windows using WSL2.

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Keywords; Hardened Images nftables iptables linux

Content by Label

Page:

Feature Enhancement Requests for CIS Products

Center for Internet Security®

Privacy Policy