Cleanest way to deal with loopback interface?

Christian Seberino seberino at spawar.navy.mil
Mon Apr 18 22:09:05 CEST 2005


Grant

I tried to understand this attack but it was over my head.
The message is simply that
I should only allow loopback traffic whose source
and destination addresses are 127.0.0.0/8 right??

e.g.

$IPTABLES -t filter -A INPUT  -i $LOOPBACK_INTERFACE
              -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE
              -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

This is safe Right?

chris


On Wed, 2005-04-13 at 18:09, Taylor Grant wrote:
> > allow traffic on the loopback interface unconditionally,  and allow the
> > linux routing code 'martian' checks to drop 127.0.0.0/8 packets received
> > 'on the wire' as it does by default.
> 
> I don't think this is such a good idea.  I could reconfigure my system such that it's loop back interface was not in the 127.0.0.0/8 network and set a route to the 127.0.0.0/8 network to be via your IP on the LAN.  Assuming that your system and my system were on the same LAN and subnet and we could ping each other I would be able to access your 127.0.0.1 address as your kernel would forward traffic to the loop back network in your system.
> 
> 
> 
> Grant. . . .
> 




More information about the netfilter mailing list