Can someone explain the following rule for filtering traffic to loopback
interface?
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
The way I interpret it:
-
accept all incoming packets to
loopback
. -
reject all incoming packets from
127.x.x.x.x
which are not toloopback
.
What are the practical uses for these rules? In the case of 1, does this mean that all packets to loopback
do not have to go through additional filtering? Is it possible for an incoming packet to loopback
to be from an external source?
Best Answer
What the rules mean is exactly what you are describing,
1) all packets accessed from the loopback interface.
2) No packets with the loopback address accepted from other sources.
It does not means per se data coming from the loopback interface has to go through additional filtering; what does it means is that the rule 2) is trying to prevent fake/spoofed packets with the loopback address coming from other interfaces.