{"description": "A host-based firewall called <tt>netfilter</tt> is included as\npart of the Linux kernel distributed with the system. It is\nactivated by default. This firewall is controlled by the program\n<tt>iptables</tt>, and the entire capability is frequently referred to by\nthis name. An analogous program called <tt>ip6tables</tt> handles filtering\nfor IPv6.\n<br /><br />\nUnlike TCP Wrappers, which depends on the network server\nprogram to support and respect the rules written, <tt>netfilter</tt>\nfiltering occurs at the kernel level, before a program can even\nprocess the data from the network packet. As such, any program on\nthe system is affected by the rules written.\n<br /><br />\nThis section provides basic information about strengthening\nthe <tt>iptables</tt> and <tt>ip6tables</tt> configurations included with the system.\nFor more complete information that may allow the construction of a\nsophisticated ruleset tailored to your environment, please consult\nthe references at the end of this section.", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": ["iptables_activation", "iptables_ruleset_modifications"], "rules": ["directory_groupowner_etc_iptables", "directory_owner_etc_iptables", "directory_permissions_etc_iptables", "ensure_iptables_are_flushed", "package_iptables-nft_installed", "package_iptables-persistent_installed", "package_iptables-persistent_removed", "package_iptables-services_installed", "package_iptables-services_removed", "package_iptables_installed"], "platform": "", "platforms": [], "inherited_platforms": [], "cpe_platform_names": [], "title": "iptables and ip6tables", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-iptables/group.yml"}