iptables: 127.0.0.1 != lo

Hi!

I have two network interfaces (eth0 and eth1) and the following rule:

--source 127.0.0.0/8 --in-interface !lo -j DROP

unfortunately that does drop local packages (from 127.0.0.1 to 127.0.0.1).

Why?

hi !
this rule drops packets from source 127.0.0.1 comming from an interface
other than lo ....
Try
-A FORWARD -s 127.0.0.0/8 -j DROP
Good luck
S. MAMMAR

In article <d5kmqe$v5q$04$(E-Mail Removed)>,
Timo Nentwig <(E-Mail Removed)> wrote:
:Hi!
:
:I have two network interfaces (eth0 and eth1) and the following rule:
:
:--source 127.0.0.0/8 --in-interface !lo -j DROP
:
:unfortunately that does drop local packages (from 127.0.0.1 to 127.0.0.1).
:
:Why?

Two reasons:
1. The '!' character is sometimes special to the shell and would need
to be quoted if the above rule were part of a shell command.

2. Iptables requires the '!' character to be a separate argument.

Note that a '!' character standing alone is _not_ altered by the shell
and does not need to be quoted, but the string "!lo" invokes the
shell's history expansion mechanism. In your case, it unfortunately
expanded to something that still appeared legal to iptables, or else
you added that rule to /etc/sysconfig/iptables with an editor. You
are strictly on you own when you do that. Iptables presumes that
/etc/sysconfig/iptables was generated by iptables-save.

This should work as you expect:

iptables --source 127.0.0.0/8 --in-interface ! lo -j DROP

--
Bob Nichols AT comcast.net I am "rnichols42"

In article <d5lcqi$l4k$(E-Mail Removed)>, I wrote:
:
:This should work as you expect:
:
: iptables --source 127.0.0.0/8 --in-interface ! lo -j DROP

Oops -- typing a bit to hastily there. That command is incomplete and
doesn't specify where to put the rule. I'll leave that as an exercise
for the reader.

--
Bob Nichols AT comcast.net I am "rnichols42"

Robert Nichols wrote:

> In article <d5lcqi$l4k$(E-Mail Removed)>, I wrote:
> :
> :This should work as you expect:
> :
> : iptables --source 127.0.0.0/8 --in-interface ! lo -j DROP
>
> Oops -- typing a bit to hastily there. That command is incomplete and
> doesn't specify where to put the rule. I'll leave that as an exercise
> for the reader.

Yes, that missing space was a typo, too. That's not the problem.

Note: E-mailed *and* posted.

In article <d5lheg$eeb$05$(E-Mail Removed)>,
Timo Nentwig <(E-Mail Removed)> wrote:
:Robert Nichols wrote:
:
:> In article <d5lcqi$l4k$(E-Mail Removed)>, I wrote:
:> :
:> :This should work as you expect:
:> :
:> : iptables --source 127.0.0.0/8 --in-interface ! lo -j DROP
:>
:> Oops -- typing a bit to hastily there. That command is incomplete and
:> doesn't specify where to put the rule. I'll leave that as an exercise
:> for the reader.
:
:Yes, that missing space was a typo, too. That's not the problem.

I don't know what's happening, then. When I insert the a rule with:

# iptables -I RH-Firewall-1-INPUT 1 -s 127.0.0.0/8 -i ! lo -j LOG

it does not log packets sent to 127.0.0.1 via the loopback interface.
(Yes, if I leave out the "!" it does log the packets.)

By any chance do you have some unusual routing that is sending 127.0/8
traffic over another interface? Try changing "DROP" to "LOG" and see
what gets logged.

--
Bob Nichols AT comcast.net I am "rnichols42"

Robert Nichols wrote:

> By any chance do you have some unusual routing that is sending 127.0/8
> traffic over another interface? Try changing "DROP" to "LOG" and see

I have two network interfaces and use ifmetric...