On Sun, 2005-04-17 at 18:27, seberino@xxxxxxxxxxxxxxx wrote: > How allow just legitimate loopback traffic then? > > Chris > > On Wed, Apr 13, 2005 at 08:09:46PM -0500, Taylor Grant wrote: > > >allow traffic on the loopback interface unconditionally, and allow the > > >linux routing code 'martian' checks to drop 127.0.0.0/8 packets received > > >'on the wire' as it does by default. > > > > I don't think this is such a good idea. I could reconfigure my system such > > that it's loop back interface was not in the 127.0.0.0/8 network and set a > > route to the 127.0.0.0/8 network to be via your IP on the LAN. Assuming > > that your system and my system were on the same LAN and subnet and we could > > ping each other I would be able to access your 127.0.0.1 address as your > > kernel would forward traffic to the loop back network in your system. > > According to the TCP/IP specification this should not be an issue. The loopback traffic outgoing response traverses the machine stack only as far as the network transport layer. Removing both the data link layer and physical layer and their appropriate protocols from the path of the data traffic. Thus, this effectively negates the chance that any reply communication could be submitted to the OUTPUT queue. Of course, this is all in theory. I've never tried this process myself. But, to answer your question Christian; the following rule will disallow packets with a source address of the loopback network coming from the internet side: iptables -A INPUT -i $INTERNET_INTERFACE -s $LOOPBACK -j DROP Where INTERNET_INTERFACE is usually "eth0". And LOOPBACK is the reserved loopback range of "127.0.0.0/8". This entry should be placed along with other source address spoofing scenarios in your ruleset. HTH. Thomas Jones
