--- - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" block: - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT ip_version: ipv6 - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT ip_version: ipv6 - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" iptables: action: append chain: INPUT source: ::1 jump: DROP ip_version: ipv6 when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_1 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation - automated - patch - ip6tables - rule_3.4.3.3.1 - name: "3.4.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' protocol: '{{ item.protocol }}' match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT ip_version: ipv6 with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_2 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation - manual - patch - ip6tables - rule_3.4.3.3.2 - name: "3.4.3.3.3 | PATCH | Ensure ip6tables firewall rules exist for all open ports" block: - name: "3.4.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' changed_when: false failed_when: false register: rhel9cis_3_4_3_3_3_otcp - name: "3.4.3.3.3 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" iptables: action: append chain: INPUT protocol: tcp destination_port: "{{ item }}" match: state ctstate: NEW jump: ACCEPT ip_version: ipv6 with_items: - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" when: rhel9cis_3_4_3_3_3_otcp.stdout is defined when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_3 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation - automated - patch - ip6tables - rule_3.4.3.3.3 - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy" block: - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" iptables: chain: INPUT protocol: tcp destination_port: "22" jump: ACCEPT ip_version: ipv6 - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" iptables: policy: DROP chain: "{{ item }}" ip_version: ipv6 with_items: - INPUT - FORWARD - OUTPUT when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_4 - rhel9cis_ipv6_required tags: - level1-server - level1-workstation - automated - patch - ip6tables - rule_3.4.3.3.4 - name: "3.4.3.3.5 | PATCH | Ensure ip6tables rules are saved" iptables_state: state: saved path: /etc/sysconfig/ip6tables ip_version: ipv6 when: - rhel9cis_firewall == "iptables" - rhel9cis_ipv6_required - rhel9cis_rule_3_4_3_3_5 tags: - level1-server - level1-workstation - automated - patch - ip6tables - rule_3.4.3.3.5 - name: "3.4.3.3.6 | PATCH | Ensure ip6tables service is enabled and active" service: name: ip6tables enabled: yes state: started when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_6 tags: - level1-server - level1-workstation - automated - patch - ip6tables - rule_3.4.3.3.6