Question: Iptables -- 127.0.0.1 - Security

This is a discussion on Question: Iptables -- 127.0.0.1 - Security ; I have a little confusion with this. I hear about this "sanity check" for packets that may have a spoofed source address (or destination) of 127.0.0.1 Every single reference, tutorial, sample iptables scripts, etc. that I've seen, they address the ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Question: Iptables -- 127.0.0.1

  1. Question: Iptables -- 127.0.0.1


    I have a little confusion with this.

    I hear about this "sanity check" for packets that may have
    a spoofed source address (or destination) of 127.0.0.1

    Every single reference, tutorial, sample iptables scripts,
    etc. that I've seen, they address the issue referring to
    127.0.0.1 as the loopback address. Example:

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 127.0.0.1 -j DROP
    iptables -A INPUT -d 127.0.0.1 -j DROP

    That way, if the packet legitimately is from the host to
    itself, then it will match the first rule and pass; if
    a packet did not pass the first rule, then it can not
    possibly have source or destination IP of 127.0.0.1, and
    thus it is dropped, guilty of being a fake packet.

    What was recently brought to my attention is: shouldn't
    that be 127.0.0.0/255.0.0.0 ?? That is, shouldn't the
    entire range 127.*.*.* be considered? I'm not sure the
    claim has merit, but it made me wonder -- I always
    thought 127.0.0.1 is *the one* special IP address for
    the loopback interface; but I'm told that the entire
    range 127.*.*.* has the same effect? Can someone
    clarify this?

    If the claim is true, then why aren't all the examples
    and tutorials on iptables out there using the 127.0.0.0/8
    subnet?

    Thanks,

    Carlos
    --

  2. Re: Question: Iptables -- 127.0.0.1

    You are correct, Carlos.

    The entire Class A Non-Routable address range should be evaluated
    against. The reason that in most example scripts that 127.0.0.1 is
    utilized is due to the fact that it is common practice to allocate this
    address to the loopback function.

    It is entirely conceivable that a person could alter this address to
    utilize any address within the Class A Non-Routable address range. Thus
    you should first verify that your loopback interface is in fact
    assigned the ip address that you expect. And that the route assigned to
    the loopback interface is the Class A Non-Routable address range.

    Thomas


  3. Re: Question: Iptables -- 127.0.0.1

    On Tue, 02 May 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Carlos Moreno wrote:

    >I hear about this "sanity check" for packets that may have
    >a spoofed source address (or destination) of 127.0.0.1
    >
    >Every single reference, tutorial, sample iptables scripts,
    >etc. that I've seen, they address the issue referring to
    >127.0.0.1 as the loopback address.


    Weellll... "the loopback address" is 127.0.0.1 by convention, but the
    entire network is used that way. Simple test: Try pinging/telnet/what-ever
    to any address in that range, and your own system will be the one responding.

    [firewood ~]# /usr/sbin/tcpdump -i lo
    tcpdump: listening on lo
    07:37:20.390000 localhost > 127.127.127.127: icmp: echo request
    07:37:20.390000 localhost > 127.127.127.127: icmp: echo request
    07:37:20.390000 127.127.127.127 > localhost: icmp: echo reply
    07:37:20.390000 127.127.127.127 > localhost: icmp: echo reply
    [firewood ~]#

    >What was recently brought to my attention is: shouldn't
    >that be 127.0.0.0/255.0.0.0 ??


    1122 Requirements for Internet Hosts - Communication Layers. R.
    Braden, Ed.. October 1989. (Format: TXT=295992 bytes) (Updated by
    RFC1349, RFC4379) (Also STD0003) (Status: STANDARD)

    2827 Network Ingress Filtering: Defeating Denial of Service Attacks
    which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May
    2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by
    RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)

    3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format:
    TXT=16200 bytes) (Status: INFORMATIONAL)

    3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
    March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
    BCP0084) (Status: BEST CURRENT PRACTICE)

    While RFC2827 does _not_ mention 127.* (nor does RFC0791), the others
    do, _and_ specify it as a /8. See RFC1122 Section 3.2.1.3 (g), RFC3330
    Section 2, RFC3704 Section 1, and RFC2827 Section 4.

    >If the claim is true, then why aren't all the examples
    >and tutorials on iptables out there using the 127.0.0.0/8
    >subnet?


    Probably because it's traditional to only speak of the loopback as that
    one single address. However, a very quick check of the Firewall-HOWTO,
    IPCHAINS-HOWTO, and Security-Quickstart-HOWTO show that those authors
    did specify the full network, while at least early copies of the the
    'iptables-HOWTO' and 'packet-filtering-HOWTO' (from Rusty Russell, the
    author of the packet-filtering code in the kernel) showed just a host
    address.

    Old guy

  4. Re: Question: Iptables -- 127.0.0.1

    On Wed, 03 May 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , I wrote:
    [List of RFCs]

    1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995.
    (Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated by
    RFC2644) (Status: PROPOSED STANDARD)

    Section 4.2.2.11 (e) also lists 127.0.0.0/8. See also section 5.3.7, which
    says:

    5.3.7 Martian Address Filtering

    An IP source address is invalid if it is a special IP address, as
    defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

    An IP destination address is invalid if it is among those defined as
    illegal destinations in 4.2.3.1, or is a Class E address (except
    255.255.255.255).

    A router SHOULD NOT forward any packet that has an invalid IP source
    address or a source address on network 0. A router SHOULD NOT
    forward, except over a loopback interface, any packet that has a
    source address on network 127. A router MAY have a switch that
    allows the network manager to disable these checks. If such a switch
    is provided, it MUST default to performing the checks.

    If a router discards a packet because of these rules, it SHOULD log
    at least the IP source address, the IP destination address, and, if
    the problem was with the source address, the physical interface on
    which the packet was received and the Link Layer address of the host
    or router from which the packet was received.

    Not that this is a "SHOULD NOT", rather than a "MUST NOT". See section
    1.2.2 of RFC1812 if you aren't familiar with what those terms are meant
    to be interpreted as.

    Now, the next question is if your perimeter routers comply with this
    requirement. Not all do, because there is a cost in CPU cycles. Oh, and
    you'll also want to read section 5.3.8 of this document as well.

    Old guy


+ Reply to Thread