Thomas Thanks for the reply. Jason at beginning of this thread surprised all of us by saying that Linux kernel drops 127.0.0.1 address from NICs already!?! No need to filter it out from Internet traffic! Agreed? Chris On Sun, 2005-04-17 at 17:04, Thomas Jones wrote: > On Sun, 2005-04-17 at 18:27, seberino@xxxxxxxxxxxxxxx wrote: > > How allow just legitimate loopback traffic then? > > > > Chris > > > > On Wed, Apr 13, 2005 at 08:09:46PM -0500, Taylor Grant wrote: > > > >allow traffic on the loopback interface unconditionally, and allow the > > > >linux routing code 'martian' checks to drop 127.0.0.0/8 packets received > > > >'on the wire' as it does by default. > > > > > > I don't think this is such a good idea. I could reconfigure my system such > > > that it's loop back interface was not in the 127.0.0.0/8 network and set a > > > route to the 127.0.0.0/8 network to be via your IP on the LAN. Assuming > > > that your system and my system were on the same LAN and subnet and we could > > > ping each other I would be able to access your 127.0.0.1 address as your > > > kernel would forward traffic to the loop back network in your system. > > > > > According to the TCP/IP specification this should not be an issue. > > The loopback traffic outgoing response traverses the machine stack only > as far as the network transport layer. Removing both the data link layer > and physical layer and their appropriate protocols from the path of the > data traffic. > > Thus, this effectively negates the chance that any reply communication > could be submitted to the OUTPUT queue. Of course, this is all in > theory. I've never tried this process myself. > > But, to answer your question Christian; the following rule will disallow > packets with a source address of the loopback network coming from the > internet side: > > iptables -A INPUT -i $INTERNET_INTERFACE -s $LOOPBACK -j DROP > > Where INTERNET_INTERFACE is usually "eth0". And LOOPBACK is the reserved > loopback range of "127.0.0.0/8". > > This entry should be placed along with other source address spoofing > scenarios in your ruleset. > > HTH. > Thomas Jones > >
