I get a lot of port scans to 127.0.0.1 and they MUST be comming from eth0! I thought that rules like this should suffice, but it doesn't seem like it does: ----- s n i p ----- # Setting up connections to 127.0.0.1 via external interface /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j REJECT --reject-with tcp-reset --protocol tcp /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j DROP --protocol udp ----- s n i p -----