Cleanest way to deal with loopback interface?
Alexander Samad
alex at samad.com.au
Wed Apr 13 23:00:49 CEST 2005
On Wed, Apr 13, 2005 at 01:50:50PM -0700, Christian Seberino wrote:
> I want first rules that packets encounter to be my DROP_CHAIN
> that weeds out suspicious packets including packets addressed
> to and from 127.0.0.1 (loopback):
>
> # -------------------------------------------------------------
> $IPTABLES -t filter -P INPUT DROP
> $IPTABLES -t filter -P OUTPUT DROP
> $IPTABLES -t filter -P FORWARD DROP
>
> $IPTABLES -t filter -A INPUT -j DROP_CHAIN
> $IPTABLES -t filter -A OUTPUT -j DROP_CHAIN
> $IPTABLES -t filter -A FORWARD -j DROP_CHAIN
>
> $IPTABLES -t filter -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
> $IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
> # ------------------------------------------------------------
>
> How can I make DROP_CHAIN drop bogus 127.0.0.1 addressed packets
> but still allow **legitimate** loopback traffic?
$IPTABLES -t filter -A INPUT -s 127.0.0.0/8 -i ! lo+ -j DROP_CHAIN
I am presuming that a legitimate 127/8 address will only originate from
a lo interface
>
> Chris
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter/attachments/20050414/86d6c67a/attachment.bin
More information about the netfilter
mailing list