Question: Iptables -- 127.0.0.1
- From: Carlos Moreno <moreno_at_mochima_dot_com@xxxxxxxxxxxxxx>
- Date: Tue, 02 May 2006 20:59:08 -0400
I have a little confusion with this.
I hear about this "sanity check" for packets that may have
a spoofed source address (or destination) of 127.0.0.1
Every single reference, tutorial, sample iptables scripts,
etc. that I've seen, they address the issue referring to
127.0.0.1 as the loopback address. Example:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j DROP
iptables -A INPUT -d 127.0.0.1 -j DROP
That way, if the packet legitimately is from the host to
itself, then it will match the first rule and pass; if
a packet did not pass the first rule, then it can not
possibly have source or destination IP of 127.0.0.1, and
thus it is dropped, guilty of being a fake packet.
What was recently brought to my attention is: shouldn't
that be 127.0.0.0/255.0.0.0 ?? That is, shouldn't the
entire range 127.*.*.* be considered? I'm not sure the
claim has merit, but it made me wonder -- I always
thought 127.0.0.1 is *the one* special IP address for
the loopback interface; but I'm told that the entire
range 127.*.*.* has the same effect? Can someone
clarify this?
If the claim is true, then why aren't all the examples
and tutorials on iptables out there using the 127.0.0.0/8
subnet?
Thanks,
Carlos
--
.
- Follow-Ups:
- Re: Question: Iptables -- 127.0.0.1
- From: Moe Trin
- Re: Question: Iptables -- 127.0.0.1
- From: Secure Buddha
- Re: Question: Iptables -- 127.0.0.1
- Prev by Date: Re: firewall question
- Next by Date: Re: Google Bobbles NSA wiretap searches
- Previous by thread: firewall question
- Next by thread: Re: Question: Iptables -- 127.0.0.1
- Index(es):
Relevant Pages
|
