--- - name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy" block: - name: "3.4.4.2.1 | L1 | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" iptables: chain: INPUT protocol: tcp destination_port: "22" jump: ACCEPT ip_version: ipv6 - name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" iptables: policy: DROP chain: "{{ item }}" ip_version: ipv6 with_items: - INPUT - FORWARD - OUTPUT when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_2_1 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation - patch - rule_3.4.4.2.1 - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured" block: - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT ip_version: ipv6 - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT ip_version: ipv6 - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" iptables: action: append chain: INPUT source: ::1 jump: DROP ip_version: ipv6 when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_2_2 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation - patch - rule_3.4.4.2.2 - name: "3.4.4.2.3 | L1 | PATCH | Ensure ip6tables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' protocol: '{{ item.protocol }}' match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT ip_version: ipv6 with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_2_3 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation - patch - rule_3.4.4.2.3 - name: "3.4.4.2.4 | L1 | PATCH | Ensure ip6tables firewall rules exist for all open ports" block: - name: "3.4.4.2.4 | L1 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' changed_when: false failed_when: false register: rhel9cis_3_4_4_2_4_otcp - name: "3.4.4.2.4 | L1 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" iptables: action: append chain: INPUT protocol: tcp destination_port: "{{ item }}" match: state ctstate: NEW jump: ACCEPT ip_version: ipv6 with_items: - "{{ rhel9cis_3_4_4_2_4_otcp.stdout_lines }}" when: rhel9cis_3_4_4_2_4_otcp.stdout is defined when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_2_4 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation - patch - rule_3.4.4.2.4 - name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled" service: name: ip6tables enabled: yes state: started when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_2_5 tags: - level1-server - level1-workstation - patch - rule_3.4.4.2.5