Cleanest way to deal with loopback interface?

Jason Opperisano opie at 817west.com
Wed Apr 13 23:13:49 CEST 2005


On Wed, Apr 13, 2005 at 01:50:50PM -0700, Christian Seberino wrote:
> I want first rules that packets encounter to be my DROP_CHAIN
> that weeds out suspicious packets including packets addressed
> to and from 127.0.0.1 (loopback):
> 
> # -------------------------------------------------------------
> $IPTABLES -t filter -P INPUT   DROP
> $IPTABLES -t filter -P OUTPUT  DROP
> $IPTABLES -t filter -P FORWARD DROP
>  
> $IPTABLES -t filter -A INPUT   -j DROP_CHAIN
> $IPTABLES -t filter -A OUTPUT  -j DROP_CHAIN
> $IPTABLES -t filter -A FORWARD -j DROP_CHAIN
>   
> $IPTABLES -t filter -A INPUT  -i $LOOPBACK_INTERFACE -j ACCEPT
> $IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
> # ------------------------------------------------------------
> 
> How can I make DROP_CHAIN drop bogus 127.0.0.1 addressed packets
> but still allow **legitimate** loopback traffic?

allow traffic on the loopback interface unconditionally,  and allow the
linux routing code 'martian' checks to drop 127.0.0.0/8 packets received
'on the wire' as it does by default.

-j

--
"Auctioner: Our first item is a pair of panties confiscated from
 a prostitute.
 Quagmire: Fifty bucks.
 Auctioner: She had nine STDs.
 Quagmire: Forty-five bucks.
 Auctioner: And when we caught her she wet herself.
 Quagmire: Fifty bucks."
        --Family Guy



More information about the netfilter mailing list