Profile Applicability:
• Level 1
Description:
IP forwarding allows a system to forward network packets between interfaces, effectively acting as a router. Disabling IP forwarding on systems not intended to route traffic prevents unauthorized traffic forwarding and network misconfigurations.
Rationale:
Disabling IP forwarding limits the system’s role to its intended function, reducing the risk of unintended network traffic routing or man-in-the-middle attacks.
Impact:
Pros:
Minimizes exposure to network-based attacks involving packet forwarding.
Simplifies network security posture.
Cons:
Disabling IP forwarding on routing devices may disrupt legitimate network functions.
Default Value:
IP forwarding is typically disabled by default on non-routing systems.
Pre-requisites:
Root or sudo privileges to modify system network settings.
Remediation:
Test Plan:
Using Linux command line:
1. Check current IP forwarding status:
sysctl net.ipv4.ip_forward
2. Confirm the value is 0 (disabled).
Implementation Plan:
Using Linux command line:
1. Disable IP forwarding temporarily:
sysctl -w net.ipv4.ip_forward=0
2. Persist the setting by editing /etc/sysctl.conf or a file in /etc/sysctl.d/ to include:
net.ipv4.ip_forward = 0
3. Reload sysctl settings:
sysctl -p
Backout Plan:
Using Linux command line:
1. Re-enable IP forwarding if necessary:
sysctl -w net.ipv4.ip_forward=1
2. Update configuration files accordingly and reload sysctl.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Linux sysctl Documentation