LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-17-2014, 11:15 AM   #1
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 441

Rep: Reputation: 22
Unhappy iptables and 127.0.0.1


Hello all.
I use below iptables command :

# iptables -F INPUT
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT

but some programs like tor that use 127.0.0.1 not worked . How can I block all incoming connection without lost localhost.

Thank you.
 
Old 08-17-2014, 11:59 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 22,064

Rep: Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886
Quote:
Originally Posted by jokar.mohsen View Post
Hello all.
I use below iptables command :

# iptables -F INPUT
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT

but some programs like tor that use 127.0.0.1 not worked . How can I block all incoming connection without lost localhost.
You add a rule to allow things to that address, on that port, or take that rule out. What are you trying to accomplish with that rule??? And AGAIN, as with most of your threads, you provide NO USEFUL INFORMATION. The same questions apply as they do for every question:
  • Verion/distro of Linux
  • What you're trying to accomplish
  • What you've done/tried so far.
Since you rarely reply to threads or answer questions, it's difficult to put much effort into guessing about answers.
 
1 members found this post helpful.
Old 08-18-2014, 06:13 AM   #3
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 441

Original Poster
Rep: Reputation: 22
I use debian and want to block all incoming connection to my PC. When I use some App like Tor or etc that need 127.0.0.1, They never worked . How can block incoming connection without lost 127.0.0.1


Thanks.
 
Old 08-18-2014, 09:46 AM   #4
dr98mav
LQ Newbie
 
Registered: Aug 2014
Location: IRAN
Distribution: debian 7.4 , ubuntu 13.10
Posts: 12

Rep: Reputation: Disabled
sorry i don't many work ip tables but
you can bock incoming by this commad (you don't block 127.0.0.1)

Code:
iptables -I INPUT -s 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -s 127.0.0.1 -j ACCEPT
iptables -I INPUT -j DROP
iptables -I OUTPUT -j DROP
if my answer is not true sorry my friend
 
Old 08-18-2014, 09:58 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 22,064

Rep: Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886
Quote:
Originally Posted by jokar.mohsen View Post
I use debian and want to block all incoming connection to my PC. When I use some App like Tor or etc that need 127.0.0.1, They never worked . How can block incoming connection without lost 127.0.0.1
You don't 'block' 127.0.0.1...if you don't want people connecting to your system, then DON'T RUN SERVICES that allow connections. If you don't allow SSH connections from anywhere else, there's no need to 'block' it...same with FTP, HTTP, or any OTHER protocol. You secure those services one by one, providing you run them at all.

If all you're doing is connecting outwards, then you have nothing to 'block'.
 
Old 08-20-2014, 06:14 AM   #6
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 441

Original Poster
Rep: Reputation: 22
can you show me some insecure service to Block ?
 
Old 08-20-2014, 07:24 AM   #7
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 441

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by dr98mav View Post
sorry i don't many work ip tables but
you can bock incoming by this commad (you don't block 127.0.0.1)

Code:
iptables -I INPUT -s 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -s 127.0.0.1 -j ACCEPT
iptables -I INPUT -j DROP
iptables -I OUTPUT -j DROP
if my answer is not true sorry my friend


It is not True and after it I can't ping 127.0.0.1
 
Old 08-20-2014, 09:44 AM   #8
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 22,064

Rep: Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886Reputation: 5886
Quote:
Originally Posted by jokar.mohsen View Post
can you show me some insecure service to Block ?
AGAIN, if you don't RUN the service, you don't need to BLOCK the service, do you???? ANY service can be 'insecure' and vulnerable...don't run them if you don't need them, period.

Also, AGAIN, as with most of your other threads, you STILL don't say what you're trying to accomplish, or answer questions asked of you.
 
Old 08-20-2014, 11:24 AM   #9
dr98mav
LQ Newbie
 
Registered: Aug 2014
Location: IRAN
Distribution: debian 7.4 , ubuntu 13.10
Posts: 12

Rep: Reputation: Disabled
Quote:
Originally Posted by jokar.mohsen View Post
It is not True and after it I can't ping 127.0.0.1
ok

how this?

Code:
iptables -A INPUT -j DROP
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
plz tell me you can ping or no

plz send email for me :dr98mav@gmail.com
 
Old 08-24-2014, 01:26 PM   #10
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 89
You need a rule to let answer packages in, to let localhost packages in, and to drop anything else:

Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -P INPUT DROP
 
Old 08-25-2014, 11:36 AM   #11
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 441

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by cepheus11 View Post
You need a rule to let answer packages in, to let localhost packages in, and to drop anything else:

Code:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -P INPUT DROP


Thank you so much. I can't ping 127.0.0.1
 
Old 08-25-2014, 01:54 PM   #12
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 89
Quote:
Originally Posted by jokar.mohsen View Post
Thank you so much. I can't ping 127.0.0.1
The second rule should take care of this. What is your OUTPUT policy? Is it ACCEPT? Are there other rules in the OUTPUT chain? What is the exact output of ping? And does ping work if you change the INPUT policy to ACCEPT?

Another possibility for the second rule would be

Code:
iptables -A INPUT -i lo -j ACCEPT
..if your local interface is named "lo".

Also, can you post the output of

Code:
ifconfig -a
 
Old 08-27-2014, 08:36 AM   #13
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 441

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by cepheus11 View Post
The second rule should take care of this. What is your OUTPUT policy? Is it ACCEPT? Are there other rules in the OUTPUT chain? What is the exact output of ping? And does ping work if you change the INPUT policy to ACCEPT?

Another possibility for the second rule would be

Code:
iptables -A INPUT -i lo -j ACCEPT
..if your local interface is named "lo".

Also, can you post the output of

Code:
ifconfig -a

I want to use Tor but i don't lock to open input to my system.
 
Old 09-03-2014, 04:16 AM   #14
jokar.mohsen
Member
 
Registered: Jul 2008
Location: Tehran
Posts: 441

Original Poster
Rep: Reputation: 22
iptables -F
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 9050 -j ACCEPT

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP


I use above commands but I can't ping my local network or use "rdesktop" command . How can I solve it? I use Debian.
 
Old 09-03-2014, 04:35 AM   #15
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
How do you ping your machine? Do you ping it on IP address or on name?

Also your rules only accept incoming traffic on lo interface but not outgoing on lo. Thus after "iptables -A INPUT -i lo -j ACCEPT" add: "iptables -A OUTPUT -i lo -j ACCEPT"
Nother thing are your last two lines "iptables -A INPUT -j DROP; iptables -A OUTPUT -j DROP". You allready set this at the start. Also it wont hurt its just not needed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
connect to 127.0.0.1[127.0.0.1]: Connection refused (port 10024) adamos22 Linux - Newbie 2 07-31-2013 01:40 PM
psad: scan detected: 127.0.0.1 -> 127.0.0.1 tcp macaal Linux - Security 4 06-17-2011 02:56 PM
IPtables redirect 127.0.0.1 to 192.168.1.113 nickname.random Linux - Networking 12 07-11-2010 06:32 PM
Sendmail : relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refuse macadam Linux - Software 0 09-23-2007 03:44 PM
DSN: Data format error & relay=[127.0.0.1] [127.0.0.1] calmbomb Linux - Software 0 11-07-2004 04:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration