iptables and localhost

iptables and localhost

Post by Jim Hendr » Fri, 05 Oct 2001 17:01:50



Hi all,

I would like to create an iptable rule that would rewrite the source
address on all packets to localhost (127.0.0.1) to 127.0.0.1).  My current
configuration seems to make packets destined for localhost appear to come
from my internet IP address.  This breaks many things that only authorize
connections for localhost.

Thank you for any help,
Jim Hendry

 
 
 

iptables and localhost

Post by Dean Thompso » Fri, 05 Oct 2001 23:32:01


Hi!,

Quote:> I would like to create an iptable rule that would rewrite the source
> address on all packets to localhost (127.0.0.1) to 127.0.0.1).  My current
> configuration seems to make packets destined for localhost appear to come
> from my internet IP address.  This breaks many things that only authorize
> connections for localhost.

Can you basically use a SNAT rule which would allow you to trap the incoming
requests and then re-write the source address.  The only worry that I would
have in the back of my mind would be that packets after they have had their
source IP re-written wouldn't get back to the application that was sending the
initial packet.  Is there anyway you can expand your authorisation window to
allow the IP address that you are connecting from ?

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

iptables and localhost

Post by Jim Hendr » Sat, 06 Oct 2001 02:42:02



> Hi!,

>>I would like to create an iptable rule that would rewrite the source
>>address on all packets to localhost (127.0.0.1) to 127.0.0.1).  My current
>>configuration seems to make packets destined for localhost appear to come
>>from my internet IP address.  This breaks many things that only authorize
>>connections for localhost.

> Can you basically use a SNAT rule which would allow you to trap the incoming
> requests and then re-write the source address.  The only worry that I would
> have in the back of my mind would be that packets after they have had their
> source IP re-written wouldn't get back to the application that was sending the
> initial packet.  Is there anyway you can expand your authorisation window to
> allow the IP address that you are connecting from ?

> See ya

> Dean Thompson

I believe I have solved my problem.  My iptables rule did not limit
source rewriting to a specific interface so all source addresses were
being rewritten (even on lo).  Specifying rewriting only on my external
interface has fixed the problem.

Thank you for your help,
Jim Hendry

 
 
 

1. sendmail, iptables localhost 127.0.0.1

I am not able to send mail from the localhost with the config I have below

telnet localhost 25

gives no response.

If I stop the firewall I am ok.

Here is my iptables config

mangle
:PREROUTING ACCEPT [25133:3124044]
:INPUT ACCEPT [24657:3067947]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8958:1972212]
:POSTROUTING ACCEPT [8958:1972212]
COMMIT
# Completed on Wed May 29 10:36:32 2002
# Generated by iptables-save v1.2.5 on Wed May 29 10:36:32 2002
*nat
:PREROUTING ACCEPT [12936:2199875]
:POSTROUTING ACCEPT [25:1636]
:OUTPUT ACCEPT [25:1636]
COMMIT
# Completed on Wed May 29 10:36:32 2002
# Generated by iptables-save v1.2.5 on Wed May 29 10:36:32 2002
*filter
:INPUT DROP [6577:724657]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8612:1896652]

-A INPUT -i eth1 -f -j DROP
-A INPUT -i eth1 -m state --state INVALID -j DROP
-A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp ! --tcp-flags
SYN,RST,ACK SYN -j DROP

-A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j ACCEPT

-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP
-A INPUT -s 255.255.255.255 -i eth1 -j DROP
-A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP
-A INPUT -s 192.0.2.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP
-A INPUT -s 224.0.0.0/255.255.255.255 -i eth1 -j DROP

-I INPUT -s 127.0.0.1 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s mysubnet -i eth1 -p tcp -m state --state NEW,ESTABLISHED -m
tcp --dport 21 -j ACCEPT
-I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept ICMP

-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
# Completed on Wed May 29 10:36:32 2002

2. DMA problems

3. Matrox Mystique ands X.

4. passing double-quoted string as C program arg

5. Iptables Transparent Proxy and Browser on localhost

6. Sysinfo and SunOS 5.2 patches

7. localhost -> localhost?

8. Disksuite

9. Samba Server (Localhost) - LOCALHOST?!?!?

10. IPCHAINS and mail on localhost: unable to send mail from localhost

11. IPTABLES problem with iptables: Index of insertion too big

12. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist