bookends: Prevent packets with destination localhost.

author Mark Wooding <mdw@distorted.org.uk>

Wed, 7 Jan 2009 19:03:59 +0000 (19:03 +0000)

committer Mark Wooding <mdw@distorted.org.uk>

Wed, 7 Jan 2009 19:03:59 +0000 (19:03 +0000)
author Mark Wooding <mdw@distorted.org.uk>
Wed, 7 Jan 2009 19:03:59 +0000 (19:03 +0000)
committer Mark Wooding <mdw@distorted.org.uk>
Wed, 7 Jan 2009 19:03:59 +0000 (19:03 +0000)
diff --git a/bookends.m4 b/bookends.m4

index f99066c..6b4f5f4 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -81,15 +81,25 @@ errorchain mangle:bad-source-address DROP
  ## Packet arrived on wrong interface for its source address.  Drops the
  ## packet, since there's nowhere sensible to send an error.
  
+errorchain bad-destination-address REJECT --reject-with icmp-host-prohibited
+## Packet arrived on non-loopback interface with loopback destination.  Sends
+## a rude note back.
+
  errorchain interesting ACCEPT
  ## Not an error, just log interesting packets.
  
  m4_divert(36)m4_dnl
  ###--------------------------------------------------------------------------
-### Don't clobber local traffic.
+### Standard loopback stuff.
  
+## Don't clobber local traffic
  run iptables -A INPUT -i lo -j ACCEPT
  
+## We really shouldn't see packets destined for localhost on any interface
+## other than the loopback.
+run iptables -A INPUT -g bad-destination-address \
+       -d 127.0.0.0/8
+
  m4_divert(90)m4_dnl
  ###--------------------------------------------------------------------------
  ### Finishing touches.
author	Mark Wooding <mdw@distorted.org.uk>
	Wed, 7 Jan 2009 19:03:59 +0000 (19:03 +0000)
committer	Mark Wooding <mdw@distorted.org.uk>
	Wed, 7 Jan 2009 19:03:59 +0000 (19:03 +0000)