Re: Rejecting connections to 127.0.0.1 from eth0
Turbo Fredriksson wrote:
> I get a lot of port scans to 127.0.0.1 and they MUST be comming
> from eth0!
>
> I thought that rules like this should suffice, but it doesn't
> seem like it does:
>
> ----- s n i p -----
> # Setting up connections to 127.0.0.1 via external interface
> /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j REJECT --reject-with tcp-reset --protocol tcp
> /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j DROP --protocol udp
> ----- s n i p -----
>
How about dropping any traffic with a source or destination address of
127.0.0.0/8 (on any interface besides loopback):
iptables -A INPUT -i ! lo -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP
No reason to send back any ICMP of TCP resets, since you know that it's
bogus or hostile traffic.
-Matt
Reply to: