Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces
An XCCDF Rule
Description
To set the runtime status of the net.ipv4.conf.all.forwarding
kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: net.ipv4.conf.all.forwarding = 0
warning alert: Warning
There might be cases when certain applications can systematically override this option.
One such case is Libvirt; a toolkit for managing of virtualization platforms.
By default, Libvirt requires IP forwarding to be enabled to facilitate
network communication between the virtualization host and guest
machines. It enables IP forwarding after every reboot.
Rationale
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.forwarding from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/