You are not logged in.

Pages: 1

#1 2009-07-16 09:43:24

madeye
Member
From: Denmark
Registered: 2006-07-19
Posts: 331
Website

[SOLVED] iptables -i lo weird behavoiur

Hi,

I was just reviewing my iptables rules, and saw that a rule exists on the INPUT chain that grants access to everything.

ACCEPT     all  --  anywhere             anywhere

I have chased it down to this part of my script:

iptables -A INPUT -i lo -j ACCEPT

Anyone know why this happens?

My script is listed below

#!/bin/sh 

IPTABLES=/usr/sbin/iptables

# start by flushing the rules
$IPTABLES -F

# Delete all chains
$IPTABLES -X

# set default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# allow packets coming from the machine
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# allow outgoing traffic (not really necessary)
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT

# allow established and related connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Listing the rules gives me this

[root@archer ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Everywhere I look on the Internet, it just states that the loopback rule is necessary for some programs to run. I can't find anything about the behaviour I am seeing here.

Last edited by madeye (2009-07-19 16:02:01)

MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage

Offline

#2 2009-07-16 22:36:38

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,224
Website

Re: [SOLVED] iptables -i lo weird behavoiur

Run 'iptables -nvL' and it will have a column for the 'in' and 'out' interfaces. You will see 'lo' listed under the 'in' column for that rule.

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#3 2009-07-17 08:46:34

madeye
Member
From: Denmark
Registered: 2006-07-19
Posts: 331
Website

Re: [SOLVED] iptables -i lo weird behavoiur

Thanks a lot for the help.
You know I even have the pocket reference for iptables, but didn't find anything about that in there.
OK, I also wasn't sure what I should look after. smile

Is there a decent book that describes IPtables thoroughly?

Last edited by madeye (2009-07-17 08:49:52)

MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage

Offline

#4 2009-07-19 10:30:24

quarkup
Member
From: Portugal
Registered: 2008-09-07
Posts: 497
Website

Re: [SOLVED] iptables -i lo weird behavoiur

man iptables big_smile


btw: possibly ill get a simple iptables script and upload it for next weekend..

Last edited by quarkup (2009-07-19 10:57:55)

If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.

Offline

#5 2009-07-19 16:01:26

madeye
Member
From: Denmark
Registered: 2006-07-19
Posts: 331
Website

Re: [SOLVED] iptables -i lo weird behavoiur

Yes there is the man page, but it is not very decent at describing iptables. What I mean is, it's a fine command overview but not very educational. You have to know exactly what to look for to find what you need.

I'd like to see your script. Then I can compare it to my other script that I use sometimes. It's a little larger than the one I've shown in this thread.

MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage

Offline

#6 2009-07-19 22:25:04

quarkup
Member
From: Portugal
Registered: 2008-09-07
Posts: 497
Website

Re: [SOLVED] iptables -i lo weird behavoiur

got it here:

http://pastie.org/private/0ufoox1dnogrlurkig


smile

If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.

Offline

#7 2009-07-20 17:20:33

madeye
Member
From: Denmark
Registered: 2006-07-19
Posts: 331
Website

Re: [SOLVED] iptables -i lo weird behavoiur

Nice! Thanks.

MadEye | Registered Linux user #167944 since 2000-02-28 | Homepage

Offline

#8 2009-07-28 10:14:43

quarkup
Member
From: Portugal
Registered: 2008-09-07
Posts: 497
Website

Re: [SOLVED] iptables -i lo weird behavoiur

okay its in the wiki now (http://wiki.archlinux.org/index.php/Sim … wall_HOWTO)

If people do not believe that mathematics is simple, it is only because they do not realize how complicated life is.
Simplicity is the ultimate sophistication.

Offline

#9 2009-07-28 18:13:13

james
Member
Registered: 2009-04-17
Posts: 13

Re: [SOLVED] iptables -i lo weird behavoiur

Thank you for the wiki, this is great!
I especially liked the 'Protection against common attacks' section. I always liked to setup my own rules but was not aware of these things.
For my own scripts I use iptables-save / iptables-restore. So as an alternative to calling iptables something like this is possible also

#!/bin/sh
LoopbackInterface=lo

TheRules=\
"*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:InputProtection - [0:0]
-A INPUT -j InputProtection 
-A INPUT -i $LoopbackInterface -j ACCEPT 
-A OUTPUT -o $LoopbackInterface -j ACCEPT 
-A InputProtection -p tcp ! --syn -m state --state NEW -j DROP
COMMIT"

echo "$TheRules" | sudo iptables-restore
echo "$TheRules" | sudo ip6tables-restore

Offline

Pages: 1

Board footer

Powered by FluxBB