CoursesLinux hardeningNetwork hardening

Network kernel hardening (sysctl)

No forwarding, no redirects, sane defaults.

Intermediate12 min · lesson 7 of 16

The Linux kernel’s network stack has many tunable parameters, and its defaults favor compatibility over security. sysctl is how you change them, and a handful of network settings meaningfully reduce a host’s attack surface. The headline one: on any machine that is not deliberately a router, turn off IP forwarding, so a compromised host cannot be turned into a gateway to pivot traffic deeper into your network.

/etc/sysctl.d/90-network-hardening.conf
# not a router — do not forward or reroute traffic
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# ignore ICMP redirects (an attacker can use them to reroute your traffic)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# reject source-routed packets (a spoofing/bypass technique)
net.ipv4.conf.all.accept_source_route = 0
# enable reverse-path filtering (drop spoofed source addresses)
net.ipv4.conf.all.rp_filter = 1

SYN flood resistance and martians

A few more settings blunt common network attacks. SYN cookies let the host keep answering legitimate connections during a SYN-flood denial-of-service attempt. Logging "martian" packets — ones with impossible source addresses — surfaces spoofing attempts in your logs. And ignoring broadcast ICMP stops your host being used as an amplifier in a reflection attack against someone else. None of these are exotic; they are the settings a CIS benchmark checks for exactly because their absence is common and exploitable.

/etc/sysctl.d/90-network-hardening.conf
net.ipv4.tcp_syncookies = 1 # survive SYN floods
net.ipv4.conf.all.log_martians = 1 # log impossible-source packets
net.ipv4.icmp_echo_ignore_broadcasts = 1 # do not be a reflection amplifier

Apply and verify

sysctl settings placed in /etc/sysctl.d/ persist across reboots; sysctl --system reloads them all now, and sysctl <key> reads back the current value so you can confirm it took. The discipline is the same as everywhere in hardening: change the setting, verify it is actually in effect, and record why — because a hardening config you cannot verify is a hardening config you cannot trust.

terminal
$ sudo sysctl --system # apply everything in /etc/sysctl.d/
$ sysctl net.ipv4.ip_forward # verify one setting
net.ipv4.ip_forward = 0
IP forwarding on a compromised host is a gateway
A non-router host with net.ipv4.ip_forward=1 (often left on because Docker or a VPN enabled it) becomes, if compromised, an instant router the attacker can use to reach systems that were supposed to be unreachable from it. Set it to 0 wherever routing is not the host’s job — and if a container runtime needs forwarding, understand that dependency rather than leaving it globally on by accident.