iptables loopback opens all ports

Asked Jan 17 '20 at 18:04

Active Jan 17 '20 at 18:04

Viewed 270 times

I have a strange problem with iptables and my loopback interface.

ifconfig says:

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>

for both ipv6 and ipv4 rules, i use this:

-A INPUT -i lo -j ACCEPT

For ipv6 it works fine:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      ::/0                 ::/0                 state RELATED,ESTABLISHED
ACCEPT     all      ::1                  ::1

but for ipv4, it opens all ports:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

the desired solution is archived by:

-A INPUT -s 127.0.0.1 --dst 127.0.0.1 -i lo -j ACCEPT

But why is binding the rule to the interface lo not working for ipv4, but for ipv6 flawlessly?

asked Jan 17 '20 at 18:04

Tim Altgeld

2

Add the "-v" option to see the in and out interfaces. "iptables -L -nv" – Dom Jan 17 '20 at 19:04
And the IP address is a mask : 127.0.0.0/8 (see 255.0.0.0 in your ifconfig) – Dom Jan 17 '20 at 19:22
so the source does not matter if it is bound to lo? – Tim Altgeld Jan 17 '20 at 20:34
1

I can't reproduce your test. using `ip6tables -A INPUT -i lo -j ACCEPT` never puts `::1` anywhere (but `::/0`), and that's a normal behaviour. – A.B Jan 17 '20 at 23:04
which version of iptables do you use? i have 1.8.3-2 – Tim Altgeld Jan 17 '20 at 23:31
If the IP is set it will be tested. But it is easier to put a "-i lo" and catch all the packets from this interface, without testing the IP. – Dom Jan 19 '20 at 17:15

iptables loopback opens all ports

0 Answers0