Cleanest way to deal with loopback interface?

Alexander Samad alex at samad.com.au
Wed Apr 13 23:00:49 CEST 2005


On Wed, Apr 13, 2005 at 01:50:50PM -0700, Christian Seberino wrote:
> I want first rules that packets encounter to be my DROP_CHAIN
> that weeds out suspicious packets including packets addressed
> to and from 127.0.0.1 (loopback):
> 
> # -------------------------------------------------------------
> $IPTABLES -t filter -P INPUT   DROP
> $IPTABLES -t filter -P OUTPUT  DROP
> $IPTABLES -t filter -P FORWARD DROP
>  
> $IPTABLES -t filter -A INPUT   -j DROP_CHAIN
> $IPTABLES -t filter -A OUTPUT  -j DROP_CHAIN
> $IPTABLES -t filter -A FORWARD -j DROP_CHAIN
>   
> $IPTABLES -t filter -A INPUT  -i $LOOPBACK_INTERFACE -j ACCEPT
> $IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
> # ------------------------------------------------------------
> 
> How can I make DROP_CHAIN drop bogus 127.0.0.1 addressed packets
> but still allow **legitimate** loopback traffic?

$IPTABLES -t filter -A INPUT -s 127.0.0.0/8 -i ! lo+ -j DROP_CHAIN

I am presuming that a legitimate 127/8 address will only originate from
a lo interface

> 
> Chris
> 
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter/attachments/20050414/86d6c67a/attachment.bin


More information about the netfilter mailing list