Cleanest way to deal with loopback interface?

Thomas Jones admin at buddhalinux.com
Mon Apr 18 02:04:51 CEST 2005


On Sun, 2005-04-17 at 18:27, seberino at spawar.navy.mil wrote:
> How allow just legitimate loopback traffic then?
> 
> Chris
> 
> On Wed, Apr 13, 2005 at 08:09:46PM -0500, Taylor Grant wrote:
> > >allow traffic on the loopback interface unconditionally,  and allow the
> > >linux routing code 'martian' checks to drop 127.0.0.0/8 packets received
> > >'on the wire' as it does by default.
> >
> > I don't think this is such a good idea.  I could reconfigure my system such
> > that it's loop back interface was not in the 127.0.0.0/8 network and set a
> > route to the 127.0.0.0/8 network to be via your IP on the LAN.  Assuming
> > that your system and my system were on the same LAN and subnet and we could
> > ping each other I would be able to access your 127.0.0.1 address as your
> > kernel would forward traffic to the loop back network in your system.
> >

According to the TCP/IP specification this should not be an issue.

The loopback traffic outgoing response traverses the machine stack only
as far as the network transport layer. Removing both the data link layer
and physical layer and their appropriate protocols from the path of the
data traffic.

Thus, this effectively negates the chance that any reply communication
could be submitted to the OUTPUT queue. Of course, this is all in
theory. I've never tried this process myself.

But, to answer your question Christian; the following rule will disallow
packets with a source address of the loopback network coming from the
internet side:

iptables -A INPUT -i $INTERNET_INTERFACE -s $LOOPBACK -j DROP

Where INTERNET_INTERFACE is usually "eth0". And LOOPBACK is the reserved
loopback range of "127.0.0.0/8".

This entry should be placed along with other source address spoofing
scenarios in your ruleset.

HTH.
Thomas Jones




More information about the netfilter mailing list