How can I open a port on a CIS Linux Hardened Image?

Owned by Chris Boldiston
Last updated: Jun 27, 2024 by Allan Cornwell
2 min read

Product Name

CIS Hardened Images®  (AWS)

CIS Hardened Images®  (Azure)

CIS Hardened Images®  (Google Cloud Platform)

CIS Hardened Images®  (Oracle Cloud)

Product Version

Linux

Date

Jul 23, 2020

 

Based on CIS Benchmark Recommendations, we implement iptables / nftables and by default only required ports are open. If you need to open another port for an application on a CIS Hardened Image, you can add a rule as per the below example.

Instructions

For systems using iptables:

  1. Check the current iptables rules that are in place:
    sudo iptables -L

  2. Add a rule to iptables to allow, for example, an inbound TCP connection on port 8080:
    sudo iptables -A INPUT -p tcp --dport 8080 -m state --state NEW -j ACCEPT

  3. If that solves the issue you can run the following command(s) so the rule persists after reboot.

    • CentOS, RedHat, Amazon Linux 2, OracleOS - sudo service iptables save

    • Ubuntu and Debian - sudo netfilter-persistent save ; sudo netfilter-persistent reload

For systems using nftables (such as Ubuntu 20.04 / 22.04 and RHEL9):

  1. Review the currently applied nftables rules:
    sudo nft list ruleset

  2. Enable inbound port 8080 using the existing “inet filter” table:
    sudo nft insert rule inet filter input tcp dport 8080 accept
    The changes will apply automatically.

  3. If you wish to make these nftables rules persistent on reboot, copy the current configuration containing the added port entries to the established rules file.

Note that the location of the nftables.rules files may vary by your distribution (Ubuntu, RHEL etc). Refer to the steps below and adjust the commands as needed.

  • Locate your nftables.conf and nftables.rules files:

    [root@ip-172-31-52-35 ~]# find / -name nftables.rules -o -name nftables.conf /etc/sysconfig/nftables.conf /etc/nftables/nftables.rules

  • Verify that the nftables.conf points to the located rules file from the above command:

    [root@ip-172-31-52-35 ~]# cat /etc/sysconfig/nftables.conf (...) include "/etc/nftables/nftables.rules"

  • Update the nftables.rules file with the running config:

    sudo sh -c "nft list ruleset > /etc/nftables/nftables.rules"

Additional Information

Iptables Linux man page reference https://linux.die.net/man/8/iptables

nftables man page reference: https://www.netfilter.org/projects/nftables/manpage.html

 

Copyright © 2023

Center for Internet Security®