Profile Applicability:
 • Level 1

Description:
 A default deny firewall policy in iptables drops all incoming and forwarding packets unless explicitly allowed. This default stance helps secure the system by preventing unauthorized network access.

Rationale:
 Configuring a default deny policy reduces the system’s attack surface by blocking unwanted traffic by default, allowing only explicitly permitted connections.

Impact:
 Pros:

  • Provides strong baseline protection against unauthorized access.

  • Encourages explicit firewall rule definition.

Cons:

  • Misconfiguration may lead to legitimate traffic being blocked, causing service disruption.

Default Value:
 iptables chains default policy may be set to ACCEPT if not explicitly configured.

Pre-requisites:

  • Root or sudo privileges to configure firewall rules.

Remediation:

Test Plan:

Using Linux command line:

1. Check current default policies for INPUT and FORWARD chains:

iptables -L -v -n --line-numbers

2. Verify if default policies for INPUT and FORWARD are set to DROP.

Implementation Plan:

Using Linux command line:

1. Set default policies to DROP:

iptables -P INPUT DROP  
iptables -P FORWARD DROP  
iptables -P OUTPUT ACCEPT

2. Save the iptables rules to persist after reboot:

service iptables save  # or equivalent

3. Verify policies are set:

iptables -L -v -n

Backout Plan:

Using Linux command line:

1. Revert default policies to ACCEPT if necessary:

iptables -P INPUT ACCEPT  
iptables -P FORWARD ACCEPT

2. Save the rules and verify changes.

References: