[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Rejecting connections to 127.0.0.1 from eth0

In addition to what others have said if you're indeed receiving packets to your machine with the wrong IP via eth0 then either someone in control of a machine on the same LAN or in control of the upstream router is sending them. The reason being is that packets dont' magically come to your door, they have to get routed there. Another (remote) possibility is your machine is sending out spurious ARP Reply's for 127.0.0.1 to the local LAN and some devices are actually listening to that and sending their 127.0.0.1 traffic to you.
Either way, something more nefarious than a portscan is going on if the DEST IP is not one of yours. if the *SOURCE* IP is 127.0.0.1 (which I find more likely) then that's just spoofed packets and you need better ingress/egress filtering at the borders of your network.
--On November 11, 2006 12:12:15 PM +0100 Turbo Fredriksson <turbo@debian.org> wrote: 


I get a lot of port scans to 127.0.0.1 and they MUST be comming
from eth0!

I thought that rules like this should suffice, but it doesn't
seem like it does:

----- s n i p -----
# Setting up connections to 127.0.0.1 via external interface
/sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j REJECT --reject-with
tcp-reset --protocol tcp /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j
DROP --protocol udp ----- s n i p -----


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org







--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting
Reply to: