Hello Michael, > You will always drop any packets sent to this chain, but you won’t always log them. > > Is this what you intended? yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such packets. Should I update the misleading "DROP*" variables as well to keep things consistent? Thanks, and best regards, Peter Müller > Hello, > >> On 18 Dec 2021, at 13:48, Peter Müller wrote: >> >> Traffic from and to 127.0.0.0/8 must only appear on the loopback >> interface, never on any other interface. This ensures offending packets >> are logged, and the loopback interface cannot be abused for processing >> traffic from and to any other networks. >> >> Signed-off-by: Peter Müller >> --- >> src/initscripts/system/firewall | 24 ++++++++++++++++++------ >> 1 file changed, 18 insertions(+), 6 deletions(-) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> index cc5baa292..1c62c6e2c 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -80,6 +80,14 @@ iptables_init() { >> fi >> iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" >> >> + # Log and subsequently drop spoofed packets or "martians", arriving from sources >> + # on interfaces where we don't expect them >> + iptables -N SPOOFED_MARTIAN >> + if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then > > DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN? > > You will always drop any packets sent to this chain, but you won’t always log them. > > Is this what you intended? > >> + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN " >> + fi >> + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN" >> + >> # Chain to contain all the rules relating to bad TCP flags >> iptables -N BADTCP >> >> @@ -177,14 +185,18 @@ iptables_init() { >> iptables -A INPUT -j ICMPINPUT >> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >> >> - # Accept everything on loopback >> + # Accept everything on loopback if source/destination is loopback space... >> iptables -N LOOPBACK >> - iptables -A LOOPBACK -i lo -j ACCEPT >> - iptables -A LOOPBACK -o lo -j ACCEPT >> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT >> + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT >> + >> + # ... and drop everything else on the loopback interface, since no other traffic should appear there >> + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN >> + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN >> >> - # Filter all packets with loopback addresses on non-loopback interfaces. >> - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >> - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP >> + # Filter all packets with loopback addresses on non-loopback interfaces (spoofed) >> + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN >> + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN >> >> for i in INPUT FORWARD OUTPUT; do >> iptables -A ${i} -j LOOPBACK >> -- >> 2.26.2 >