From f381cc0ab4290f7f531c747c9c71875a44f440d8 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Wed, 7 Jan 2009 19:03:59 +0000
Subject: [PATCH] bookends: Prevent packets with destination localhost.

Linux blocks these anyway, but it's good to be sure.
---
 bookends.m4 | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/bookends.m4 b/bookends.m4
index f99066c..6b4f5f4 100644
--- a/bookends.m4
+++ b/bookends.m4
@@ -81,15 +81,25 @@ errorchain mangle:bad-source-address DROP
 ## Packet arrived on wrong interface for its source address.  Drops the
 ## packet, since there's nowhere sensible to send an error.
 
+errorchain bad-destination-address REJECT --reject-with icmp-host-prohibited
+## Packet arrived on non-loopback interface with loopback destination.  Sends
+## a rude note back.
+
 errorchain interesting ACCEPT
 ## Not an error, just log interesting packets.
 
 m4_divert(36)m4_dnl
 ###--------------------------------------------------------------------------
-### Don't clobber local traffic.
+### Standard loopback stuff.
 
+## Don't clobber local traffic
 run iptables -A INPUT -i lo -j ACCEPT
 
+## We really shouldn't see packets destined for localhost on any interface
+## other than the loopback.
+run iptables -A INPUT -g bad-destination-address \
+	-d 127.0.0.0/8
+
 m4_divert(90)m4_dnl
 ###--------------------------------------------------------------------------
 ### Finishing touches.
-- 
2.11.0