* comments about local loopback interface rule granularity
@ 2012-03-13 14:28 paddy joesoap
2012-03-13 15:06 ` Jan Engelhardt
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: paddy joesoap @ 2012-03-13 14:28 UTC (permalink / raw)
To: netfilter
Hi all,
What is the correct local loopback iptables rules for a single hosted
firewall (laptop)?
I often see the following:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
where a default DROP policy is applied to both INPUT and OUTPUT chains.
I notice with this configuration I can ping the localhost (as
expected) but I also can ping the local IP address of the machine!
Why is this this the case with respect to the local IP address?
Is this the correct set of rules?
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
With this configuration I can ping the localhost (as expected) but NOT
also ping the local IP address of the machine :-)
The loacal IP address of the machine is tied to a real interface such
as eth0 and therefore no ping packets this time as expected.
I presume the only traffic that should ever communicate with the "lo"
interface is traffic to and from IP address 127.0.0.1.
any comments are welcome.
Paddy.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: comments about local loopback interface rule granularity
2012-03-13 14:28 comments about local loopback interface rule granularity paddy joesoap
@ 2012-03-13 15:06 ` Jan Engelhardt
2012-03-13 15:11 ` /dev/rob0
2012-03-13 15:17 ` Gáspár Lajos
2 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2012-03-13 15:06 UTC (permalink / raw)
To: paddy joesoap; +Cc: netfilter
On Tuesday 2012-03-13 15:28, paddy joesoap wrote:
>Hi all,
>
>What is the correct local loopback iptables rules for a single hosted
>firewall (laptop)?
>
>I often see the following:
>
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A OUTPUT -o lo -j ACCEPT
>
>where a default DROP policy is applied to both INPUT and OUTPUT chains.
>
>I notice with this configuration I can ping the localhost (as
>expected) but I also can ping the local IP address of the machine!
Well that's the whole point of loopback.
>Why is this this the case with respect to the local IP address?
>
>Is this the correct set of rules?
No, because your local host has more addresses than just 127.0.0.1/32,
and they very well want to be accessible.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: comments about local loopback interface rule granularity
2012-03-13 14:28 comments about local loopback interface rule granularity paddy joesoap
2012-03-13 15:06 ` Jan Engelhardt
@ 2012-03-13 15:11 ` /dev/rob0
2012-03-13 15:17 ` Gáspár Lajos
2 siblings, 0 replies; 4+ messages in thread
From: /dev/rob0 @ 2012-03-13 15:11 UTC (permalink / raw)
To: netfilter
On Tue, Mar 13, 2012 at 02:28:00PM +0000, paddy joesoap wrote:
> What is the correct local loopback iptables rules for a single
> hosted firewall (laptop)?
"Correct" might vary by needs, don't you think?
> I often see the following:
>
> iptables -A INPUT -i lo -j ACCEPT
This is generally a good idea.
> iptables -A OUTPUT -o lo -j ACCEPT
>
> where a default DROP policy is applied to both INPUT and
> OUTPUT chains.
rob0 rule of thumb: if you have to ask for help to make it work, you
don't need and shouldn't use OUTPUT filtering. Just say no to DROP.
> I notice with this configuration I can ping the localhost
> (as expected) but I also can ping the local IP address of the
> machine!
>
> Why is this this the case with respect to the local IP address?
When a local process tries to reach a locally-bound IP address, the
packets therefrom are routed through the loopback interface.
> Is this the correct set of rules?
>
> iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
>
> With this configuration I can ping the localhost (as expected)
> but NOT also ping the local IP address of the machine :-)
If that's what you want for some reason, I suppose it's correct for
you. I don't see the point.
> The loacal IP address of the machine is tied to a real
> interface such as eth0 and therefore no ping packets this time
> as expected.
>
> I presume the only traffic that should ever communicate with
> the "lo" interface is traffic to and from IP address 127.0.0.1.
Why? The folks who designed your kernel's IP stack did not agree.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: comments about local loopback interface rule granularity
2012-03-13 14:28 comments about local loopback interface rule granularity paddy joesoap
2012-03-13 15:06 ` Jan Engelhardt
2012-03-13 15:11 ` /dev/rob0
@ 2012-03-13 15:17 ` Gáspár Lajos
2 siblings, 0 replies; 4+ messages in thread
From: Gáspár Lajos @ 2012-03-13 15:17 UTC (permalink / raw)
To: paddy joesoap; +Cc: netfilter
Hi,
2012-03-13 15:28 keltezéssel, paddy joesoap írta:
> I often see the following:
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> where a default DROP policy is applied to both INPUT and OUTPUT chains.
Just a side note.
I always use these rules because:
- I just enable something and deny everything else... (ACCEPT the
specified and DROP as the policy).
- I want my local services run "as fas as they can"... (I use the
rules above as the first rule in the chain. Be aware that you can use
the rules above in the raw, mangle and filter tables too..)
- I do not think that there is anything filterable on the "lo" interface.
Swifty
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-03-13 15:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-13 14:28 comments about local loopback interface rule granularity paddy joesoap
2012-03-13 15:06 ` Jan Engelhardt
2012-03-13 15:11 ` /dev/rob0
2012-03-13 15:17 ` Gáspár Lajos
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.