networking – Complying with CIS Firewall rule using iptables – Ensure firewall rules exist for all open ports


There is a CIS rule for open ports 3.6.5 Ensure firewall rules exist for all open ports, and I have been trying for two days to become compliant to this using iptables.

OS

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"

According to Rule Description,

Severity
High

Description
Description Any ports that have been opened on non-loopback addresses need firewall
rules to govern traffic. Rationale Without a firewall rule configured for open ports
default firewall policy will drop all packets to these ports.

Recommendation
For each port identified in the audit which does not have a firewall rule establish a
proper rule for accepting inbound connections: 
# iptables -A INPUT -p <protocol> --dport <port> -m state --state NEW -j ACCEPT

Basically there should be a firewall rule for each open port when I run netstat -ln.

First I tried their recommendation, but it locked me out of SSH.

Here is my netstat output,

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
udp        0      0 127.0.0.53:53           0.0.0.0:*
udp        0      0 172.31.83.2:68          0.0.0.0:*

Based on the output, we are using following iptables rules,


iptables -F

# Inbound

iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp --dport 68 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 68 -m state --state ESTABLISHED -j ACCEPT


# Outgoing Traffic
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED     -j ACCEPT

iptables -A OUTPUT -p tcp --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 67 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 68 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 68 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED     -j ACCEPT

iptables -A OUTPUT -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED     -j ACCEPT

iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 25 -m state --state ESTABLISHED     -j ACCEPT

# Log before dropping
iptables -A INPUT  -j LOG  -m limit --limit 12/min --log-level 4 --log-prefix 'IP INPUT drop: '
iptables -A INPUT  -j DROP

iptables -A OUTPUT -j LOG  -m limit --limit 12/min --log-level 4 --log-prefix 'IP OUTPUT drop: '
iptables -A OUTPUT -j DROP
echo "Set default policy to 'DROP'"
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP


However, when we execute these rules and re-run CIS, this rule continue to fail.
We are using AWS Inspector for CIS Rule scanning.

Can someone please assist me understanding where I am wrong?