Re: Rejecting connections to 127.0.0.1 from eth0

To: debian-isp@lists.debian.org
Subject: Re: Rejecting connections to 127.0.0.1 from eth0
From: Matt Cuttler <mcuttler@bnl.gov>
Date: Sat, 11 Nov 2006 07:29:23 -0500
Message-id: <[🔎] 4555C223.8010601@bnl.gov>
In-reply-to: <[🔎] 87psbukzjk.fsf@pumba.bayour.com>
References: <[🔎] 87psbukzjk.fsf@pumba.bayour.com>

Turbo Fredriksson wrote:
> I get a lot of port scans to 127.0.0.1 and they MUST be comming
> from eth0!
> 
> I thought that rules like this should suffice, but it doesn't
> seem like it does:
> 
> ----- s n i p -----
> # Setting up connections to 127.0.0.1 via external interface
> /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j REJECT --reject-with tcp-reset --protocol tcp
> /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j DROP --protocol udp
> ----- s n i p -----
> 

How about dropping any traffic with a source or destination address of
127.0.0.0/8 (on any interface besides loopback):

iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP

No reason to send back any ICMP of TCP resets, since you know that it's
bogus or hostile traffic.

-Matt

Reply to:

References:
- Rejecting connections to 127.0.0.1 from eth0
  - From: Turbo Fredriksson <turbo@debian.org>

Prev by Date: Re: Rejecting connections to 127.0.0.1 from eth0
Next by Date: Re: Rejecting connections to 127.0.0.1 from eth0
Previous by thread: Re: Rejecting connections to 127.0.0.1 from eth0
Next by thread: Re: Rejecting connections to 127.0.0.1 from eth0
Index(es):
- Date
- Thread