Christoph Anton Mitterer a écrit : > > So the kernel basically sees when packets do not leave the box but are > just "internal traffic" and uses lo for this? > > I assume this also applies for byte counters like RX/TX packets and > they're accounted on lo? Yes and yes. >>> "incoming traffic (from remote): >>> 99.99.99.99 --> 127.x.x.x => is that possible at all? how would >>> the in=/out= be? >> eth0, but the packet is discarded after PREROUTING by the input routing >> decision which prohibits receiving a packet with a loopback address from >> outside (a non loopback interface). > Ah great,... so I don't have to manually drop such stuff... right? > > Are such packets dropped (like DROP) or are the rejected with error > codes? They are silently discarded, like DROP. Some of these packets are logged when sysctl net.ipv4.conf.*.log_martians is enabled. Otherwise you can log (and drop) them with iptables. >>> "outgoing traffic (to remote): >>> 127.x.x.x --> 99.99.99.99 => is that possible at all? >> Not possible, the output routing decision prohibits sending a packet >> with a loopback address outside the host (on a non loopback interface). > So the same as above,... this is handled automatically and I don't need > to setup specific rules to block such evil. Note that I observed once that the kernel allowed sending IPv6 packets outside the host with the source address ::1 (IPv6 loopback address), which should be prohibited. I didn't test all "impossible" addresses but there may be other cases. So it may be worth filtering with ip(6)tables anyway. > Just out of curiosity,... would it be possible to tell the kernel not to > drop such bogus packets at the respective routing decision points? Not without hacking into the kernel source AFAIK. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
