Network kernel hardening (sysctl)
No forwarding, no redirects, sane defaults.
The Linux kernel’s network stack has many tunable parameters, and its defaults favor compatibility over security. sysctl is how you change them, and a handful of network settings meaningfully reduce a host’s attack surface. The headline one: on any machine that is not deliberately a router, turn off IP forwarding, so a compromised host cannot be turned into a gateway to pivot traffic deeper into your network.
# not a router — do not forward or reroute trafficnet.ipv4.ip_forward = 0net.ipv6.conf.all.forwarding = 0# ignore ICMP redirects (an attacker can use them to reroute your traffic)net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.all.send_redirects = 0# reject source-routed packets (a spoofing/bypass technique)net.ipv4.conf.all.accept_source_route = 0# enable reverse-path filtering (drop spoofed source addresses)net.ipv4.conf.all.rp_filter = 1
SYN flood resistance and martians
A few more settings blunt common network attacks. SYN cookies let the host keep answering legitimate connections during a SYN-flood denial-of-service attempt. Logging "martian" packets — ones with impossible source addresses — surfaces spoofing attempts in your logs. And ignoring broadcast ICMP stops your host being used as an amplifier in a reflection attack against someone else. None of these are exotic; they are the settings a CIS benchmark checks for exactly because their absence is common and exploitable.
net.ipv4.tcp_syncookies = 1 # survive SYN floodsnet.ipv4.conf.all.log_martians = 1 # log impossible-source packetsnet.ipv4.icmp_echo_ignore_broadcasts = 1 # do not be a reflection amplifier
Apply and verify
sysctl settings placed in /etc/sysctl.d/ persist across reboots; sysctl --system reloads them all now, and sysctl <key> reads back the current value so you can confirm it took. The discipline is the same as everywhere in hardening: change the setting, verify it is actually in effect, and record why — because a hardening config you cannot verify is a hardening config you cannot trust.
$ sudo sysctl --system # apply everything in /etc/sysctl.d/$ sysctl net.ipv4.ip_forward # verify one settingnet.ipv4.ip_forward = 0