Profile Applicability:
• Level 1
Description:
The loopback interface (lo) handles internal IPv6 traffic within the local host. Configuring ip6tables to accept all traffic on the loopback interface ensures critical local communication is not blocked, maintaining system stability and proper functionality.
Rationale:
Allowing loopback traffic prevents disruption of internal system processes and services that depend on local IPv6 communication.
Impact:
Pros:
Ensures proper operation of local IPv6 services.
Prevents unnecessary firewall blocks on internal IPv6 traffic.
Cons:
Misconfiguration is rare but could potentially expose local traffic if rules are overly permissive.
Default Value:
Loopback traffic is often allowed by default but should be verified for IPv6 configurations.
Pre-requisites:
Root or sudo privileges to configure firewall rules.
Remediation:
Test Plan:
Using Linux command line:
1. List current ip6tables rules related to the loopback interface:
ip6tables -L INPUT -v -n | grep lo
2. Verify that rules exist to accept all traffic on the lo interface.
Implementation Plan:
Using Linux command line:
1. Add rules to accept loopback IPv6 traffic if missing:
ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT
2. Save ip6tables rules to persist across reboots:
service ip6tables save # or use ip6tables-save depending on the system
3. Verify the rules are applied:
ip6tables -L INPUT -v -n | grep lo
Backout Plan:
Using Linux command line:
1. Remove loopback acceptance rules if necessary:
ip6tables -D INPUT -i lo -j ACCEPT ip6tables -D OUTPUT -o lo -j ACCEPT
2. Save ip6tables rules and verify removal.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
ip6tables Documentation