Enable secure networking defaults in sysctl.conf

A Nexpose scan of Ubuntu 16.04 lists a number of insecure configurations, including ICMP redirection, source routing, and forwarding. Inspection shows that net.ipv4.conf.default enables these things.

RHEL 6 documentation suggests shutting down source routing, forwarding, and ICMP redirects of any kind, as per the below:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html

Adjusting these settings can have detrimental effects on a live system. For example: disabling forwarding over the docker0 interface breaks Docker. As a sane default, I recommend loading default settings during system boot, which will create network interfaces with those settings and allow later processes to enable these features as-needed.

I recommend the following settings in /etc/sysctl.d/10-network-security.conf:

# Disable forwarding by default
# This disables mc_forwarding as well; writing to mc_forwarding causes an error
net.ipv4.conf.default.forwarding=0
net.ipv6.conf.default.forwarding=0

# Do not accept ICMP redirects (prevent MITM attacks)
# This removes the secure_redirects sysctl
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.default.send_redirects = 0
net.ipv6.conf.default.send_redirects = 0

# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

Take note: Setting net.ipv4.conf.default.forwarding=0 here somehow doesn't have any effect; the other settings do. Uncertain if related to bug #84537. Restarting procps does set net.ipv4.conf.default.forwarding=0 correctly.

/etc/ufw/sysctl.conf settings override these.