Enable Loopback confuse

/dev/rob0 rob0 at gmx.co.uk
Fri Aug 19 15:18:26 CEST 2005

On Friday 2005-August-19 05:41, nattapon viroonsri wrote:
> When i enable loopback i just use 2 line below and everything work
> fine iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT

Correct, unless earlier rules do something to prevent these rules from 
being evaluated.

> But i see many example around then have also included this line
>  below to enable loopback
> iptables -A FORWARD -o lo - j ACCEPT ?

They are wrong. FORWARD rules are checked when *both* the source and 
destination IP's are not local. Normal loopback traffic can never hit 
the FORWARD chain.

> So can i omit this line ?
> or what kind of packet that match this rule ?

Yes. None. It's possibly true that specially-crafted packets and silly 
routing could be employed, but this is not a real-world situation.

filter table            IP address
built-in chains         source          destination
----------------        ------          -----------
INPUT                   n/a             local
OUTPUT                  local           not local
FORWARD                 not local       not local

Each packet is checked against the rules in only one of the built-in 
chains, *except* loopback traffic, which hits OUTPUT going out, and 
then INPUT coming in.
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

More information about the netfilter mailing list