Cleanest way to deal with loopback interface?

Christian Seberino seberino at spawar.navy.mil
Wed Apr 13 22:50:50 CEST 2005


I want first rules that packets encounter to be my DROP_CHAIN
that weeds out suspicious packets including packets addressed
to and from 127.0.0.1 (loopback):

# -------------------------------------------------------------
$IPTABLES -t filter -P INPUT   DROP
$IPTABLES -t filter -P OUTPUT  DROP
$IPTABLES -t filter -P FORWARD DROP
 
$IPTABLES -t filter -A INPUT   -j DROP_CHAIN
$IPTABLES -t filter -A OUTPUT  -j DROP_CHAIN
$IPTABLES -t filter -A FORWARD -j DROP_CHAIN
  
$IPTABLES -t filter -A INPUT  -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ------------------------------------------------------------

How can I make DROP_CHAIN drop bogus 127.0.0.1 addressed packets
but still allow **legitimate** loopback traffic?

Chris





More information about the netfilter mailing list