Re: Block martians with source address 127.0.0.1
From: Bjørn Rasmussen (bjoernr_at_sensewave.com)
To: Ross Vandegrift <email@example.com> Date: Tue, 01 Jun 2004 13:48:44 +0200
man, 31.05.2004 kl. 18.14 skrev Ross Vandegrift:
> On Mon, May 31, 2004 at 12:55:52PM +0200, Bj?rn Rasmussen wrote:
> > I added these rules as the only ones to the input chain on my
> > LAN-interface:
> > iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
> > iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
> > iptables -A INPUT -i eth0 -s -j LOG
> > iptables -A INPUT -i eth0 -s -j DROP
> I'd change the source address to 127/8 - the whole class A is no-go for
> external traffic.
> > >From a client on my LAN, I used the command "nmap -e <LAN-interface on
> > client> -S 127.0.0.1 <ip-addr. of firewalls LAN-interfac>" to spoof the
> > localhost address.
> > The kernel on the firewall logs these packets as martians which it
> > should do, but my rules will not log or block these packets. Anybody
> > who knows how to do it? Is it possible? I guess there are situations
> > were malicious persons could at least perform a DoS-attack?
> Two things could be going on:
> 1) You have rp_filter turned on, which causes the kernel to ignore any
> incoming packets not addressed to that box, or not originating on a connected
I've turned it off, because I use FreeS/WAN (sorry forgot to tell you).
> 2) You've probably stuck the above rules to kill martians on the external
> interface, but when you test from an internal host, packets will arrive via
> the internal interface, and therefore bypass your iptables rules. Try adding
> those rules to the other ethernet interface as well.
These rules were added temporarily for testing on my firewalls internal
>From another response I've got, it looks like the kernel silently drops
incoming packets with source addresses of itself.