|
Local interface/IP
I got this from a website,
$IPTABLES -A TCP ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A TCP ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A TCP ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A TCP ALL -i $LO_IFACE -s $INET_IP -j ACCEPT .... Knowing LAN_IFACE is "eth1" and LO_IFACE is "lo" & LO_IP is 127.0.0.1, LAN_IP is.... blah blah.... I understand the purpose of accepting LAN packets through the LAN interface, but why do we need to accept LAN and internet packets from the loopback interface? ~confuse :confused: |
That site should go a lost called "DO NOT read mental problems may occur after reading".
Ny default IPTABLES accepts all incoming connections so those commands are useless. It does however block FORWARDS which is smart of netfilter or whoever. So..l.anyway that script does do anything really. To answer your questions accepting LAN packets to LO is wrong. That's an impossible IP operation 127.0.0.1 isn't an address you can make a connection with remotely. Also to note, loopback doesn't just refer to 127.0.0.1 it refers to 127.0.0.0 meaning 127.56.78.23 is a valid loopback, and so is 127.255.255.3....muhahahaha --tarballedtux |
Thanx, I understand the loopback addresses are around the the range of 127.0.0.0/8. But what is the local interface for? If we build a firewall, is it important to accept loopback addresses from the local interface, be it for output,input or forwarding?
|
Not sure. You do probably want to NOT forward LOOPBACK requests because for all I can think of. That's just malicious intent.
$IPTABLES -A FORWARD -i lo -j DROP That should not stifle the system, if it does get rid of it! --tarballedtux |
| All times are GMT -5. The time now is 09:04 PM. |