iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
his IP address to appear to be 127.0.0.1 could send _any_ traffic
to you and you would ACCEPT it, basically rendering the firewall
useless. Did I miss anything?
The following should be better, as it only allows traffic to/from the
loopback interface (but not eth0 or what have you)...
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 # allow x.x.x.1-7
iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28
IP-based blocking of traffic is almost always not a good idea. Same
reason as above - IPs are easily faked, so any intruder could
pretend to be 192.168.0.2 and would bypass the firewall.