Cleanest way to deal with loopback interface?

Taylor, Grant gtaylor at riverviewtech.net
Mon Apr 18 22:42:08 CEST 2005


> I tried to understand this attack but it was over my head.
> The message is simply that
> I should only allow loopback traffic whose source
> and destination addresses are 127.0.0.0/8 right??
> 
> e.g.
> 
> $IPTABLES -t filter -A INPUT  -i $LOOPBACK_INTERFACE
>               -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> $IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE
>               -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> 
> This is safe Right?

Yes that is correct.  I might be tempted to add a couple of rules in your FILTER chain too.

$IPTABLES -t filter -A FORWARD -s 127.0.0.0/8 -j DROP
$IPTABLES -t filter -A FORWARD -d 127.0.0.0/8 -j DROP

This will catch any traffic that comes in to any interface, via the FORWARD chain rule with out an interface binding, that would go out any other interface.  In other words any traffic that should be passing through your FORWARD chain should not be destined or from any 127.0.0.0/8 IP addresses, this will trap and DROP any such traffic.



Grant. . . .



More information about the netfilter mailing list