Profile Applicability:
• Level 1
Description:
Base chains in nftables are the fundamental chains (such as input, forward, and output) within a table that process network traffic. Ensuring these base chains exist is essential for proper firewall operation and effective packet filtering.
Rationale:
Presence of base chains guarantees that nftables can enforce firewall policies on incoming, outgoing, and forwarded packets, thereby securing the system’s network traffic.
Impact:
Pros:
Enables structured and efficient firewall rule processing.
Supports comprehensive network traffic filtering.
Cons:
Missing base chains may leave traffic unfiltered, increasing risk.
Default Value:
No base chains exist by default until configured.
Pre-requisites:
Root or sudo privileges to query and modify nftables.
Remediation:
Test Plan:
Using Linux command line:
1. List nftables chains in the relevant table (e.g., inet filter):
nft list table inet filter
2. Verify presence of base chains: input, forward, and output.
Implementation Plan:
Using Linux command line:
1. Create base chains if missing, for example:
nft add chain inet filter input { type filter hook input priority 0 \; }
nft add chain inet filter forward { type filter hook forward priority 0 \; }
nft add chain inet filter output { type filter hook output priority 0 \; }2. Verify chains creation:
nft list table inet filter
Backout Plan:
Using Linux command line:
1. Delete base chains if necessary:
nft delete chain inet filter input nft delete chain inet filter forward nft delete chain inet filter output
2. Confirm deletion:
nft list table inet filter
References:
CIS Amazon Linux 2 Benchmark v3.0.0
nftables Documentation