How can I open a port on a CIS Linux Hardened Image?

Owned by Chris Boldiston
Last updated: Jan 31, 2024 by Allan Cornwell

Product Name

CIS Hardened Images®  (AWS)

CIS Hardened Images®  (Azure)

CIS Hardened Images®  (Google Cloud Platform)

CIS Hardened Images®  (Oracle Cloud)

Product Version

Linux

Date

Jul 23, 2020

 

Based on CIS Benchmark Recommendations, we implement iptables / nftables and by default only required ports are open. If you need to open another port for an application on a CIS Hardened Image, you can add a rule as per the below example.

Instructions

For systems using iptables:

  1. Check the current iptables rules that are in place:
    sudo iptables -L

  2. Add a rule to iptables to allow, for example, an inbound TCP connection on port 8080:
    sudo iptables -A INPUT -p tcp --dport 8080 -m state --state NEW -j ACCEPT

  3. If that solves the issue you can run the following command(s) so the rule persists after reboot.

    • CentOS, RedHat, Amazon Linux 2, OracleOS - sudo service iptables save

    • Ubuntu and Debian - sudo netfilter-persistent save ; sudo netfilter-persistent reload

For systems using nftables (such as Ubuntu 20.04 / 22.04 and RHEL9):

  1. Review the currently applied nftables rules:
    sudo nft list ruleset

  2. Enable inbound port 8080 using the existing “inet filter” table:
    sudo nft insert rule inet filter input tcp dport 8080 accept
    The changes will apply automatically.

Additional Information

Iptables Linux man page reference https://linux.die.net/man/8/iptables

nftables man page reference: https://www.netfilter.org/projects/nftables/manpage.html

 

Copyright © 2023

Center for Internet Security®