## Packet arrived on wrong interface for its source address. Drops the
## packet, since there's nowhere sensible to send an error.
+errorchain bad-destination-address REJECT --reject-with icmp-host-prohibited
+## Packet arrived on non-loopback interface with loopback destination. Sends
+## a rude note back.
+
errorchain interesting ACCEPT
## Not an error, just log interesting packets.
m4_divert(36)m4_dnl
###--------------------------------------------------------------------------
-### Don't clobber local traffic.
+### Standard loopback stuff.
+## Don't clobber local traffic
run iptables -A INPUT -i lo -j ACCEPT
+## We really shouldn't see packets destined for localhost on any interface
+## other than the loopback.
+run iptables -A INPUT -g bad-destination-address \
+ -d 127.0.0.0/8
+
m4_divert(90)m4_dnl
###--------------------------------------------------------------------------
### Finishing touches.