Question: Iptables --

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a little confusion with this.

I hear about this "sanity check" for packets that may have
a spoofed source address (or destination) of

Every single reference, tutorial, sample iptables scripts,
etc. that I've seen, they address the issue referring to as the loopback address.  Example:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s -j DROP
iptables -A INPUT -d -j DROP

That way, if the packet legitimately is from the host to
itself, then it will match the first rule and pass;  if
a packet did not pass the first rule, then it can not
possibly have source or destination IP of, and
thus it is dropped, guilty of being a fake packet.

What was recently brought to my attention is:  shouldn't
that be ??  That is, shouldn't the
entire range 127.*.*.* be considered?  I'm not sure the
claim has merit, but it made me wonder -- I always
thought is *the one* special IP address for
the loopback interface;  but I'm told that the entire
range 127.*.*.* has the same effect?  Can someone
clarify this?

If the claim is true, then why aren't all the examples
and tutorials on iptables out there using the



Re: Question: Iptables --

You are correct, Carlos.

The entire Class A Non-Routable address range should be evaluated
against. The reason that in most example scripts that is
utilized is due to the fact that it is common practice to allocate this
address to the loopback function.

It is entirely conceivable that a person could alter this address to
utilize any address within the Class A Non-Routable address range. Thus
you should first verify that your loopback interface is in fact
assigned the ip address that you expect. And that the route assigned to
the loopback interface is the Class A Non-Routable address range.


Re: Question: Iptables --

On Tue, 02 May 2006, in the Usenet newsgroup, in article

Quoted text here. Click to load it

Weellll...  "the loopback address" is by convention, but the
entire network is used that way. Simple test: Try pinging/telnet/what-ever
to any address in that range, and your own system will be the one responding.

[firewood ~]# /usr/sbin/tcpdump -i lo
tcpdump: listening on lo
07:37:20.390000 localhost > icmp: echo request
07:37:20.390000 localhost > icmp: echo request
07:37:20.390000 > localhost: icmp: echo reply
07:37:20.390000 > localhost: icmp: echo reply
[firewood ~]#

Quoted text here. Click to load it

  1122 Requirements for Internet Hosts - Communication Layers. R.
       Braden, Ed.. October 1989. (Format: TXT=295992 bytes) (Updated by
       RFC1349, RFC4379) (Also STD0003) (Status: STANDARD)

  2827 Network Ingress Filtering: Defeating Denial of Service Attacks
       which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May
       2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by
       RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)

  3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format:
       TXT=16200 bytes) (Status: INFORMATIONAL)

  3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
       March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
       BCP0084) (Status: BEST CURRENT PRACTICE)

While RFC2827 does _not_ mention 127.* (nor does RFC0791), the others
do, _and_ specify it as a /8. See RFC1122 Section (g),  RFC3330
Section 2, RFC3704 Section 1, and RFC2827 Section 4.

Quoted text here. Click to load it

Probably because it's traditional to only speak of the loopback as that
one single address.  However, a very quick check of the Firewall-HOWTO,
IPCHAINS-HOWTO, and Security-Quickstart-HOWTO show that those authors
did specify the full network, while at least early copies of the the
'iptables-HOWTO' and 'packet-filtering-HOWTO' (from Rusty Russell, the
author of the packet-filtering code in the kernel) showed just a host

        Old guy

Re: Question: Iptables --

On Wed, 03 May 2006, in the Usenet newsgroup, in article

[List of RFCs]

  1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
       (Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated by
       RFC2644) (Status: PROPOSED STANDARD)

Section (e) also lists  See also section 5.3.7, which

   5.3.7 Martian Address Filtering

   An IP source address is invalid if it is a special IP address, as
   defined in or 5.3.7, or is not a unicast address.

   An IP destination address is invalid if it is among those defined as
   illegal destinations in, or is a Class E address (except

   A router SHOULD NOT forward any packet that has an invalid IP source
   address or a source address on network 0.  A router SHOULD NOT
   forward, except over a loopback interface, any packet that has a
   source address on network 127.  A router MAY have a switch that
   allows the network manager to disable these checks.  If such a switch
   is provided, it MUST default to performing the checks.

   If a router discards a packet because of these rules, it SHOULD log
   at least the IP source address, the IP destination address, and, if
   the problem was with the source address, the physical interface on
   which the packet was received and the Link Layer address of the host
   or router from which the packet was received.

Not that this is a "SHOULD NOT", rather than a "MUST NOT". See section
1.2.2 of RFC1812 if you aren't familiar with what those terms are meant
to be interpreted as.

Now, the next question is if your perimeter routers comply with this
requirement.  Not all do, because there is a cost in CPU cycles. Oh, and
you'll also want to read section 5.3.8 of this document as well.

        Old guy

Site Timeline