Christian Seberino wrote:
I want first rules that packets encounter to be my DROP_CHAIN
that weeds out suspicious packets including packets addressed
to and from 127.0.0.1 (loopback):
# -------------------------------------------------------------
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -A INPUT -j DROP_CHAIN
$IPTABLES -t filter -A OUTPUT -j DROP_CHAIN
$IPTABLES -t filter -A FORWARD -j DROP_CHAIN
$IPTABLES -t filter -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ------------------------------------------------------------
How can I make DROP_CHAIN drop bogus 127.0.0.1 addressed packets
but still allow **legitimate** loopback traffic?
Chris
That gets complicated. You need to define *legitimate* loopback traffic,
and create a set of rules to accommodate it. However, since first match
wins in iptables, you will probobly need a bit of trail and error to get
the rules and the order right to allow the ligitimate loopback while
still denying the bad stuff.
Robert Donovan
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
