On Wed, Apr 13, 2005 at 01:50:50PM -0700, Christian Seberino wrote: > I want first rules that packets encounter to be my DROP_CHAIN > that weeds out suspicious packets including packets addressed > to and from 127.0.0.1 (loopback): > > # ------------------------------------------------------------- > $IPTABLES -t filter -P INPUT DROP > $IPTABLES -t filter -P OUTPUT DROP > $IPTABLES -t filter -P FORWARD DROP > > $IPTABLES -t filter -A INPUT -j DROP_CHAIN > $IPTABLES -t filter -A OUTPUT -j DROP_CHAIN > $IPTABLES -t filter -A FORWARD -j DROP_CHAIN > > $IPTABLES -t filter -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT > $IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT > # ------------------------------------------------------------ > > How can I make DROP_CHAIN drop bogus 127.0.0.1 addressed packets > but still allow **legitimate** loopback traffic? $IPTABLES -t filter -A INPUT -s 127.0.0.0/8 -i ! lo+ -j DROP_CHAIN I am presuming that a legitimate 127/8 address will only originate from a lo interface > > Chris > > > >
Attachment:
signature.asc
Description: Digital signature