Profile Applicability:
• Level 1
Description:
By default, ip6tables rules exist only in memory and are lost after a system reboot. Ensuring that ip6tables rules are saved and restored on boot maintains firewall policies consistently and protects the system from unauthorized IPv6 network traffic.
Rationale:
Saving ip6tables rules prevents accidental removal of firewall configurations after reboot, ensuring continuous enforcement of security policies.
Impact:
Pros:
Maintains firewall rule consistency across system reboots.
Enhances system security by avoiding unprotected states.
Cons:
Requires proper rule management and backups.
Default Value:
ip6tables rules are not saved permanently by default unless explicitly configured.
Pre-requisites:
Root or sudo privileges to manage firewall rules and system services.
Remediation:
Test Plan:
Using Linux command line:
1. Check if ip6tables rules are saved in configuration files, commonly /etc/sysconfig/ip6tables or /etc/iptables/rules.v6:
cat /etc/sysconfig/ip6tables cat /etc/iptables/rules.v6
2. Confirm that the saved rules file exists and contains the expected rules.
Implementation Plan:
Using Linux command line:
Save current ip6tables rules to the configuration file:
On RPM-based systems:
service ip6tables save
2. Enable and start the ip6tables service to restore rules on boot:
systemctl enable ip6tables systemctl start ip6tables
3. Verify the service is enabled and running:
systemctl status ip6tables
Backout Plan:
Using Linux command line:
1. Disable ip6tables service if necessary:
systemctl disable ip6tables systemctl stop ip6tables
2. Backup or remove saved rules files if needed.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
ip6tables Documentation
Systemd Service Management