0

I have setup my Ubuntu server as a router and webserver by following the answer given here. My ISP facing interface eth0 has a private 172.16.x.x/30 ip and my lo interface has a public IP as mentioned in the answer to the question linked above. The setup is working well. The only snag I have experienced is that I could not find a way to block the ports exposed by the public IP on the lo interface. I tried doing iptables -A INPUT -i eth0 -j DROP, and my server lost connectivity to the public network (internet). I could not ping any public ips. What I want is a way to block ports that are exposed by the public ip on the lo interface. And also I require iptables rules that can expose ports like 80 or openvpn port to the public network.

Community
  • 1
nixnotwin
  • 1,543
  • 5
  • 35
  • 55
  • 1
    why does `lo` have a public IP? o.O – Tom O'Connor Jul 03 '12 at 17:10
  • The link in my answer wasn't working. Now I corrected it. My ISP routes to me a public `/29` subnet via private `30` subnet. I connect to ISP via the private `/30` subnet. I cannot afford to have two routers to do WAN routing and NATing. So it's a hack to get one Ubuntu server work as WAN router, NAT router and webserver. – nixnotwin Jul 03 '12 at 17:20
  • This happened because of a flawed answer suggesting binding the external addresses to lo: http://serverfault.com/a/403730/3139. Original question: http://serverfault.com/q/403691/3139 – Jeff Ferland Jul 03 '12 at 18:32

2 Answers2

5

loopback interfaces should NEVER have any address besides a 127.0.0.0/8 one. More than likely, the person who built the image for your setup (ec2 perhaps?) put that in there for convenience. It is unlikely that the loopback interface sees any public traffic whatsoever. It's probably natted to you through your 172 address... and as such, firewall rules should be applied to that interface.

TheCompWiz
  • 7,409
  • 17
  • 23
  • It's not ec2 setup. I run a physical server. I subscribe to a Leased Internet Link. The ISP has assigned me a `/29` public subnet. But ISP routes to me that public subnet via a `/30` private subnet. My server is connected to ISP via that `/30` private subnet. – nixnotwin Jul 03 '12 at 17:25
  • 1
    Still... the "lo" interface is nothing more than an internal loopback interface. It is not assigned to any physical network card, and traffic is not routed through it outside of the local machine. The only reason someone would assign a public ip-address to a loopback interface is for convenience to things running locally. Firewall rules should be applied to the interface assigned to the 172 address space... (or which ever interface is connected to your ISP) – TheCompWiz Jul 03 '12 at 17:37
0

If I well understand your setup, your trafic is coming via eth0 interfaces and forwarded to the lo interfaces.

Have you try to put a FORWARD rule instead of a INPUT rule ?

profy
  • 1,146
  • 9
  • 20