Hardened iperf3 service

iperf3.service

# /lib/systemd/system/iperf3.service
[Unit]
Description=iperf3 server
Documentation=man:iperf3(1)
After=network.target auditd.service

[Service]
Type=simple
Restart=always
RestartSec=15
User=iperf3
ExecStart=/usr/bin/iperf3 --server --interval 0
SuccessExitStatus=1

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/iperf3.service.d/override.conf
[Service]
RemoveIPC=yes
CapabilityBoundingSet=
NoNewPrivileges=yes
DeviceAllow=
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectSystem=strict
ProtectProc=invisible
ProtectHome=yes
SystemCallFilter=@system-service
SystemCallFilter=~@resources
SystemCallFilter=~@privileged
SystemCallArchitectures=native
MemoryDenyWriteExecute=yes
RestrictSUIDSGID=yes
RestrictNamespaces=~ipc                  
ProtectHostname=yes
LockPersonality=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictRealtime=yes
RestrictNamespaces=yes
UMask=0077