From: Taylor Grant <gtaylor@riverviewtech.net>
To: Christian Seberino <seberino@spawar.navy.mil>
Cc: netfilter@lists.netfilter.org
Subject: Re: Cleanest way to deal with loopback interface?
Date: Wed, 13 Apr 2005 20:23:05 -0500 [thread overview]
Message-ID: <425DC5F9.5020308@riverviewtech.net> (raw)
In-Reply-To: <1113425449.3544.177.camel@seberino.spawar.navy.mil>
> $IPTABLES -t filter -P INPUT DROP
> $IPTABLES -t filter -P OUTPUT DROP
> $IPTABLES -t filter -P FORWARD DROP
>
> $IPTABLES -t filter -A INPUT -j DROP_CHAIN
> $IPTABLES -t filter -A OUTPUT -j DROP_CHAIN
> $IPTABLES -t filter -A FORWARD -j DROP_CHAIN
>
> $IPTABLES -t filter -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
> $IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
I personally do not like the idea of using a unified chain like this b/c you can run in to some sticky problems if you use the "-i" or "-o" parameters depending on what chain is ultimately calling the chain you created. Consider for example you have a rule in your DROP_CHAIN like the ones below when you are processing a packet that is inbound you will jump from the INPUT chain to the DROP_CHAIN where you have a rule that uses the "-o" parameter which is illegal in the INPUT chain or any chain called by the INPUT chain. Unified chains like the one that you are proposing are quite often limited in such that they can not match against the in or out interface. However if you wanted to have something in your chain which matched for source or destination IP that would be fine, i.e. match any thing that is from or to any multicast IP addresses could easily be processed in this chain.
However if you really want to use a unified chain add a couple of rules to your DROP_CHAIN like the following.
$IPTABLES -t filter -A DROP_CHAIN -i ! lo -s 127.0.0.0/8 -j DROP
$IPTABLES -t filter -A DROP_CHAIN -o ! lo -d 127.0.0.0/8 -j DROP
This will make any traffic that has a source address of 127.0.0.0/8 that did not come in via the lo interface get dropped. Correspondingly any traffic that is not going out the lo interface with a destination of 127.0.0.0/8 will get dropped as well. Though I'm not sure what will happen in the situation where you are calling a rule in the DROP_CHAIN during an INPUT chain traversal that uses the "-o" parameter.
Grant. . . .
prev parent reply other threads:[~2005-04-14 1:23 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-13 20:50 Cleanest way to deal with loopback interface? Christian Seberino
2005-04-13 21:00 ` Alexander Samad
2005-04-13 21:13 ` Jason Opperisano
2005-04-13 23:57 ` Christian Seberino
2005-04-14 1:35 ` Jason Opperisano
2005-04-14 1:32 ` Taylor Grant
2005-04-14 2:43 ` Jason Opperisano
2005-04-14 1:09 ` Taylor Grant
2005-04-17 23:27 ` seberino
2005-04-18 0:04 ` Thomas Jones
2005-04-18 20:02 ` Christian Seberino
2005-04-18 20:05 ` Taylor, Grant
2005-04-18 21:16 ` Thomas Jones
2005-04-18 20:09 ` Christian Seberino
2005-04-18 20:42 ` Taylor, Grant
2005-04-14 1:23 ` Taylor Grant [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=425DC5F9.5020308@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
--cc=seberino@spawar.navy.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.