3

I use tcp socket on 127.0.0.1:9000 to connect nginx to php5-cgi. However I want make sure that no extrnal request can be made to this IP, so that no attacker can obfuscate IP and bypass nginx to do nasty stuff with php.

Now I am wondering whether it is actually possible to do such exploit, and if so how can I avoid it using iptables?

MadHatter
  • 79,770
  • 20
  • 184
  • 232
wbad
  • 187
  • 2
  • 7
  • 1
    this is basic networking that should have been very easy to find – Jim B Jan 14 '15 at 17:01
  • 2
    No external system can connect to 127.0.0.1 on another system. – joeqwerty Jan 14 '15 at 17:07
  • @JimB - the problem with many basic networking questions that are obvious is that it's sometimes hard to find a reference to them. Finding the way to block remote access to localhost is not well documented because it's unnecessary and "everyone" just knows that. – Johnny Jan 14 '15 at 19:56
  • @Johnny, however the community decided a long time ago to not follow the example of stack overflow. See http://stackoverflow.com/questions/1137158/what-is-a-variable for an example of what we decided we didn't want. – Jim B Jan 15 '15 at 00:05

2 Answers2

20

It is not generally possible to access services, bound only to localhost, from external addresses. SF is fairly replete with questions asking how to reverse that state of affairs, and the calisthenics required to do it are non-trivial, precisely because the whole concept of binding only to localhost is designed to give you that security without more ado.

Community
  • 1
MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • 4
    Apparently the same isn't true for IPv6 where [`::1` can be spoofed](http://googleprojectzero.blogspot.de/2015/01/finding-and-exploiting-ntpd.html) depending on your firewall configuration. – CodesInChaos Jan 14 '15 at 10:21
  • 3
    Surely that will be patched, though. No localhost requests should be honored by the kernel/network layer from a physical link. – phyrfox Jan 14 '15 at 16:47
  • 1
    @phyrfox That's why it's a bug. You should not be able to put the loopback traffic on the physical nic regardless of OS – Jim B Jan 14 '15 at 17:00
5

You could create a firewall rule to block this traffic, but it's much easier to enable reverse-path filtering instead.

(root)$ echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Reverse-path filtering uses routing tables to filter out spoofed addresses on incoming packets.

You can enable this by default on all interfaces by adding the following to /etc/systcl.conf:

net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

More info: http://www.slashroot.in/linux-kernel-rpfilter-settings-reverse-path-filtering

However...

As already mentioned by MadHatter, this is completely unnecessary for 127.0.0.1/8. (If you want, you can log these packets using net.ipv4.conf.all.log_martians = 1).

bennettp123
  • 423
  • 3
  • 8