Re: Rejecting connections to 127.0.0.1 from eth0

[Matt Cuttler <mcuttler@bnl.gov>]

Michael Loftis wrote:
>
> Either way, something more nefarious than a portscan is going on if
> the DEST IP is not one of yours.  if the *SOURCE* IP is 127.0.0.1
> (which I find more likely) then that's just spoofed packets and you
> need better ingress/egress filtering at the borders of your network.
Yeah, what he said :) 

I concur: the likelyhood is higher that the *source* IP was spoofed as
127.0.0.1. And if that's the case (and you don't suspect that another
host in the same L2/L3 VLAN is attacking you), you're going to want to
check on your router ACLs - which ideally should be blocking such martians.

Regardless, you probably want to keep those two iptables rules in place
(the two rules that drop traffic with source and dest address of
127.0.0.1 on interfaces ! = lo). You might want to insert some similar
rules before the DROPs that LOGs, too. This combination will give you
some more insight into what's going on; you can see which rules are
getting hit (with an iptables -L -v -n, and by reviewing your log
files), and possibly provide you with a MAC address to focus your
investigation on. It might also help confirm / deny that a router ACL is
in place to block martians -- if the traffic did indeed originate offsite.

Feel free to supply packet dumps. Feel free to sanitize your own IP
address in this report, if they're not RFC1918 addresses..

Hope that helps,
Matt Cuttler