Re: Rejecting connections to 127.0.0.1 from eth0

To: debian-isp@lists.debian.org
Subject: Re: Rejecting connections to 127.0.0.1 from eth0
From: Benjamin Sonntag <benjamin@alternc.org>
Date: Sat, 25 Nov 2006 10:19:24 +0100
Message-id: <[🔎] 45680A9C.4040108@alternc.org>
In-reply-to: <[🔎] 87psbukzjk.fsf@pumba.bayour.com>
References: <[🔎] 87psbukzjk.fsf@pumba.bayour.com>

Hi,

Turbo Fredriksson a écrit :
> I get a lot of port scans to 127.0.0.1 and they MUST be comming
> from eth0!
>
> I thought that rules like this should suffice, but it doesn't
> seem like it does:
>
> ----- s n i p -----
> # Setting up connections to 127.0.0.1 via external interface
> /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j REJECT --reject-with tcp-reset --protocol tcp
> /sbin/iptables -A INPUT -i eth0 -d 127.0.0.1 -j DROP --protocol udp
> ----- s n i p -----
>   
One point : There is a case where you'll want to ACCEPT this - certainly
weird - traffic to 127.0.0.1 at eth0 :

If you are using IPVS to load-balance your traffic, it often doesn't
work when the real server itself want to access your load-balanced service.
To solve this, it's common to use
    iptables -I OUTPUT -d <your_load_balanced_ip> -j REDIRECT
So that the traffic going to the load-balanced ip address from your real
backend servers will be redirected to the local address.
I found that this case create strange packets whose destination is
127.0.0.1 and incoming interface is eth0 ...
So the firewall rule up there should not be used on a real-server behind
an ipvs load-balancer.
    (it took me 1 hour to find the reason why this redirect didn't work
... )

--
Benjamin Sonntag

Reply to:

References:
- Rejecting connections to 127.0.0.1 from eth0
  - From: Turbo Fredriksson <turbo@debian.org>

Prev by Date: Re: Hosting control panel
Next by Date: Re: Hosting control panel
Previous by thread: Re: Rejecting connections to 127.0.0.1 from eth0
Next by thread: lack of entropy
Index(es):
- Date
- Thread