 |
|
|
|
Next: firewall question
|
| Author |
Message |
External
Since: Nov 04, 2005
Posts: 99
|
(Msg. 1) Posted: Tue May 02, 2006 8:59 pm
Post subject: Question: Iptables -- 127.0.0.1
Archived from groups: comp>os>linux>security (more info?)
|
|
|
I have a little confusion with this.
I hear about this "sanity check" for packets that may have
a spoofed source address (or destination) of 127.0.0.1
Every single reference, tutorial, sample iptables scripts,
etc. that I've seen, they address the issue referring to
127.0.0.1 as the loopback address. Example:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j DROP
iptables -A INPUT -d 127.0.0.1 -j DROP
That way, if the packet legitimately is from the host to
itself, then it will match the first rule and pass; if
a packet did not pass the first rule, then it can not
possibly have source or destination IP of 127.0.0.1, and
thus it is dropped, guilty of being a fake packet.
What was recently brought to my attention is: shouldn't
that be 127.0.0.0/255.0.0.0 ?? That is, shouldn't the
entire range 127.*.*.* be considered? I'm not sure the
claim has merit, but it made me wonder -- I always
thought 127.0.0.1 is *the one* special IP address for
the loopback interface; but I'm told that the entire
range 127.*.*.* has the same effect? Can someone
clarify this?
If the claim is true, then why aren't all the examples
and tutorials on iptables out there using the 127.0.0.0/8
subnet?
Thanks,
Carlos
-- |
|
| Back to top |
|
 | |
External
Since: May 10, 2006
Posts: 15
|
(Msg. 2) Posted: Wed May 03, 2006 1:05 am
Post subject: Re: Question: Iptables -- 127.0.0.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
You are correct, Carlos.
The entire Class A Non-Routable address range should be evaluated
against. The reason that in most example scripts that 127.0.0.1 is
utilized is due to the fact that it is common practice to allocate this
address to the loopback function.
It is entirely conceivable that a person could alter this address to
utilize any address within the Class A Non-Routable address range. Thus
you should first verify that your loopback interface is in fact
assigned the ip address that you expect. And that the route assigned to
the loopback interface is the Class A Non-Routable address range.
Thomas |
|
| Back to top |
|
| |
External
Since: Dec 26, 2004
Posts: 1120
|
(Msg. 3) Posted: Wed May 03, 2006 10:23 am
Post subject: Re: Question: Iptables -- 127.0.0.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Tue, 02 May 2006, in the Usenet newsgroup comp.os.linux.security, in article
, Carlos Moreno wrote:
>I hear about this "sanity check" for packets that may have
>a spoofed source address (or destination) of 127.0.0.1
>
>Every single reference, tutorial, sample iptables scripts,
>etc. that I've seen, they address the issue referring to
>127.0.0.1 as the loopback address.
Weellll... "the loopback address" is 127.0.0.1 by convention, but the
entire network is used that way. Simple test: Try pinging/telnet/what-ever
to any address in that range, and your own system will be the one responding.
[firewood ~]# /usr/sbin/tcpdump -i lo
tcpdump: listening on lo
07:37:20.390000 localhost > 127.127.127.127: icmp: echo request
07:37:20.390000 localhost > 127.127.127.127: icmp: echo request
07:37:20.390000 127.127.127.127 > localhost: icmp: echo reply
07:37:20.390000 127.127.127.127 > localhost: icmp: echo reply
[firewood ~]#
>What was recently brought to my attention is: shouldn't
>that be 127.0.0.0/255.0.0.0 ??
1122 Requirements for Internet Hosts - Communication Layers. R.
Braden, Ed.. October 1989. (Format: TXT=295992 bytes) (Updated by
RFC1349, RFC4379) (Also STD0003) (Status: STANDARD)
2827 Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May
2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by
RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)
3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format:
TXT=16200 bytes) (Status: INFORMATIONAL)
3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
BCP0084) (Status: BEST CURRENT PRACTICE)
While RFC2827 does _not_ mention 127.* (nor does RFC0791), the others
do, _and_ specify it as a /8. See RFC1122 Section 3.2.1.3 (g), RFC3330
Section 2, RFC3704 Section 1, and RFC2827 Section 4.
>If the claim is true, then why aren't all the examples
>and tutorials on iptables out there using the 127.0.0.0/8
>subnet?
Probably because it's traditional to only speak of the loopback as that
one single address. However, a very quick check of the Firewall-HOWTO,
IPCHAINS-HOWTO, and Security-Quickstart-HOWTO show that those authors
did specify the full network, while at least early copies of the the
'iptables-HOWTO' and 'packet-filtering-HOWTO' (from Rusty Russell, the
author of the packet-filtering code in the kernel) showed just a host
address.
Old guy |
|
| Back to top |
|
| |
External
Since: Dec 26, 2004
Posts: 1120
|
(Msg. 4) Posted: Wed May 03, 2006 2:52 pm
Post subject: Re: Question: Iptables -- 127.0.0.1 [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Wed, 03 May 2006, in the Usenet newsgroup comp.os.linux.security, in article
, I wrote:
[List of RFCs]
1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
(Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated by
RFC2644) (Status: PROPOSED STANDARD)
Section 4.2.2.11 (e) also lists 127.0.0.0/8. See also section 5.3.7, which
says:
5.3.7 Martian Address Filtering
An IP source address is invalid if it is a special IP address, as
defined in 4.2.2.11 or 5.3.7, or is not a unicast address.
An IP destination address is invalid if it is among those defined as
illegal destinations in 4.2.3.1, or is a Class E address (except
255.255.255.255).
A router SHOULD NOT forward any packet that has an invalid IP source
address or a source address on network 0. A router SHOULD NOT
forward, except over a loopback interface, any packet that has a
source address on network 127. A router MAY have a switch that
allows the network manager to disable these checks. If such a switch
is provided, it MUST default to performing the checks.
If a router discards a packet because of these rules, it SHOULD log
at least the IP source address, the IP destination address, and, if
the problem was with the source address, the physical interface on
which the packet was received and the Link Layer address of the host
or router from which the packet was received.
Not that this is a "SHOULD NOT", rather than a "MUST NOT". See section
1.2.2 of RFC1812 if you aren't familiar with what those terms are meant
to be interpreted as.
Now, the next question is if your perimeter routers comply with this
requirement. Not all do, because there is a cost in CPU cycles. Oh, and
you'll also want to read section 5.3.8 of this document as well.
Old guy |
|
| Back to top |
|
| |
| Related Topics: | iptables Question - I'm configuring iptables on a RedHat Linux 8.0 machine, and in the configuration file I'm trying to use the same rules....
iptables question - Hi All, maybe I'm asking too much... but I have a situation where I need to Firewall using IPtables a server that is..
Iptables Question - iptables -L shows a lot of Accept and Drops under Chain INPUT (policy DROP) based on the default rules and what I set u...
iptables question - Can anyone point me to the error I've made in this iptables entry? -A INPUT -s 222.101.0.0/255.255.0.0 -d..
iptables newbie question - I've read the iptables man pages, the iptables howto, and even a few other tutorials about iptables, but I'm still..
IPTables and DNAT question - Hello, I am using IPTables for the firewall on my T1. We have 128 static IP's that I forward to a fixed set of.. |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
