Hi Pascal, On Sun, Feb 12, 2017 at 02:15:49PM +0100, Pascal Hambourg wrote: > > iptables -I OUTPUT 1 -p tcp --dport 22 -m addrtype --src-type LOCAL -j ACCEPT > I thought you wanted to match only against local addresses attached to a > specific interface, not all interfaces. If that specific interface is the > output interface, then you can add --limit-iface-out. Agreed. > Otherwise, may I ask why do you need this ? > Only a process with special privileges can send packets with a non local > address. My use case is a DMZ bastion/remote access jump (i.e. somewhat exposed) host where I do not want a process that somehow gained privileges to be able to e.g. send out spoofed packets right away as well as a kind of high-level martian filtering by just accepting packets directed at an address the machine actually has. This collides with IPv6 constantly changing addresses due to privacy extensions and RAs from my DSL provider. I am aware that it mostly is a case of "rampant paranoia"[tm] paired with "because I can"[tm]. > local != private > There is no need for a specific extension to match any given address prefix > such as those defined in RFC1918 : -d/-s already do the job. I did say dummy, didn't I? :) -- bye, Michael Dessau fuer's Volk! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
