iptables -A INPUT -j ACCEPT -s 127.0.0.1 # local host
iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
Correct me if I'm wrong, but I think this would also allow incoming
traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
his IP address to appear to be 127.0.0.1 could send _any_ traffic
to you and you would ACCEPT it, basically rendering the firewall
useless. Did I miss anything?
The following should be better, as it only allows traffic to/from the
loopback interface (but not eth0 or what have you)...
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j ACCEPT -s 192.168.0.0/28 # allow x.x.x.1-7
iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28
IP-based blocking of traffic is almost always not a good idea. Same
reason as above - IPs are easily faked, so any intruder could
pretend to be 192.168.0.2 and would bypass the firewall.
Glad to get some replies, would also like more on Uwe's script.
As to above: First, my computers are hidden behind a router which should
give me lots (I hope) protection.
As to local host, when I do it your way and execute "iptables -L" I get:
" Accept all -- anywhere anywhere" while I get "Accept all -- anywhere
localhost.localdomain". This latter disturbed me some time ago, looked
like anyone can do anything, so I changed it.
As to some of the items which I opened up, it looked like I needed them
to perform some functions. I like your method of allowing stuff flowing
only if the session is established, but I lack info on that and
hopefully I can learn from scripts of others.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
