comments about local loopback interface rule granularity

comments about local loopback interface rule granularity

[paddy joesoap]

Hi all,

What is the correct local loopback iptables rules for a single hosted
firewall (laptop)?

I often see the following:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

where a default DROP policy is applied to both INPUT and OUTPUT chains.

I notice with this configuration I can ping the localhost (as
expected) but I also can ping the local IP address of the machine!

Why is this this the case with respect to the local IP address?

Is this the correct set of rules?

iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

With this configuration I can ping the localhost (as expected) but NOT
also ping the local IP address of the machine :-)
The loacal IP address of the machine is tied to a real interface such
as eth0 and therefore no ping packets this time as expected.

I presume the only traffic that should ever communicate with the "lo"
interface is traffic to and from IP address 127.0.0.1.

any comments are welcome.
Paddy.

Re: comments about local loopback interface rule granularity

[Jan Engelhardt]

On Tuesday 2012-03-13 15:28, paddy joesoap wrote:

>Hi all,
>
>What is the correct local loopback iptables rules for a single hosted
>firewall (laptop)?
>
>I often see the following:
>
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A OUTPUT -o lo -j ACCEPT
>
>where a default DROP policy is applied to both INPUT and OUTPUT chains.
>
>I notice with this configuration I can ping the localhost (as
>expected) but I also can ping the local IP address of the machine!

Well that's the whole point of loopback.

>Why is this this the case with respect to the local IP address?
>
>Is this the correct set of rules?

No, because your local host has more addresses than just 127.0.0.1/32,
and they very well want to be accessible.

Re: comments about local loopback interface rule granularity

[/dev/rob0]

On Tue, Mar 13, 2012 at 02:28:00PM +0000, paddy joesoap wrote:
> What is the correct local loopback iptables rules for a single
> hosted firewall (laptop)?

"Correct" might vary by needs, don't you think?

> I often see the following:
> 
> iptables -A INPUT -i lo -j ACCEPT

This is generally a good idea.

> iptables -A OUTPUT -o lo -j ACCEPT
> 
> where a default DROP policy is applied to both INPUT and
> OUTPUT chains.

rob0 rule of thumb: if you have to ask for help to make it work, you 
don't need and shouldn't use OUTPUT filtering. Just say no to DROP.

> I notice with this configuration I can ping the localhost
> (as expected) but I also can ping the local IP address of the
> machine!
> 
> Why is this this the case with respect to the local IP address?

When a local process tries to reach a locally-bound IP address, the
packets therefrom are routed through the loopback interface.

> Is this the correct set of rules?
> 
> iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
> 
> With this configuration I can ping the localhost (as expected)
> but NOT also ping the local IP address of the machine :-)

If that's what you want for some reason, I suppose it's correct for
you. I don't see the point.

> The loacal IP address of the machine is tied to a real
> interface such as eth0 and therefore no ping packets this time
> as expected.
> 
> I presume the only traffic that should ever communicate with
> the "lo" interface is traffic to and from IP address 127.0.0.1.

Why? The folks who designed your kernel's IP stack did not agree.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: comments about local loopback interface rule granularity

[Gáspár Lajos]

Hi,


2012-03-13 15:28 keltezéssel, paddy joesoap írta:
> I often see the following:
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> where a default DROP policy is applied to both INPUT and OUTPUT chains.

Just a side note.

I always use these rules because:
  - I just enable something and deny everything else... (ACCEPT the 
specified and DROP as the policy).
  - I want my local services run "as fas as they can"... (I use the 
rules above as the first rule in the chain. Be aware that you can use 
the rules above in the raw, mangle and filter tables too..)
  - I do not think that there is anything filterable on the "lo" interface.

Swifty