From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: Christian Seberino <seberino@spawar.navy.mil>
Cc: netfilter@lists.netfilter.org
Subject: Re: Cleanest way to deal with loopback interface?
Date: Mon, 18 Apr 2005 15:42:08 -0500 [thread overview]
Message-ID: <42641BA0.9000509@riverviewtech.net> (raw)
In-Reply-To: <1113854945.3544.219.camel@seberino.spawar.navy.mil>
> I tried to understand this attack but it was over my head.
> The message is simply that
> I should only allow loopback traffic whose source
> and destination addresses are 127.0.0.0/8 right??
>
> e.g.
>
> $IPTABLES -t filter -A INPUT -i $LOOPBACK_INTERFACE
> -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> $IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE
> -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>
> This is safe Right?
Yes that is correct. I might be tempted to add a couple of rules in your FILTER chain too.
$IPTABLES -t filter -A FORWARD -s 127.0.0.0/8 -j DROP
$IPTABLES -t filter -A FORWARD -d 127.0.0.0/8 -j DROP
This will catch any traffic that comes in to any interface, via the FORWARD chain rule with out an interface binding, that would go out any other interface. In other words any traffic that should be passing through your FORWARD chain should not be destined or from any 127.0.0.0/8 IP addresses, this will trap and DROP any such traffic.
Grant. . . .
next prev parent reply other threads:[~2005-04-18 20:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-13 20:50 Cleanest way to deal with loopback interface? Christian Seberino
2005-04-13 21:00 ` Alexander Samad
2005-04-13 21:13 ` Jason Opperisano
2005-04-13 23:57 ` Christian Seberino
2005-04-14 1:35 ` Jason Opperisano
2005-04-14 1:32 ` Taylor Grant
2005-04-14 2:43 ` Jason Opperisano
2005-04-14 1:09 ` Taylor Grant
2005-04-17 23:27 ` seberino
2005-04-18 0:04 ` Thomas Jones
2005-04-18 20:02 ` Christian Seberino
2005-04-18 20:05 ` Taylor, Grant
2005-04-18 21:16 ` Thomas Jones
2005-04-18 20:09 ` Christian Seberino
2005-04-18 20:42 ` Taylor, Grant [this message]
2005-04-14 1:23 ` Taylor Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42641BA0.9000509@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
--cc=seberino@spawar.navy.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.