To clarify: since kernel 4.20 (netfilter changes) some of the lo interface traffic is qualified as INVALID and picked up by the first firewall rule, and per firewall setup is dropped and thus never reaches the remaining rules (incl. lo-handling rule): -A INPUT -m conntrack --ctstate INVALID -j logdrop -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -j ACCEPT Such setup I consider programatically correct as it protects all interfaces from INVALID traffic. And it worked for many, many years. On the other hand, placing lo-handling rule as the first one -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j logdrop -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT makes lo interface vulnerable to INVALID traffic. jb
