Binding loopback interface to 127.0.0. via IPTables/EBTables

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Wed Jun 01, 2022 20:11    Post subject: Binding loopback interface to 127.0.0. via IPTables/EBTables Reply with quote
Just out of curiousity and experimentation I decided to create "if loopback interface is not 127.0.0.1, then drop packet" rules and ended up with packets being dropped all the time for OUTPUT on my UniFi Dream Machine. Here are the rules
Code:
iptables -I OUTPUT -o lo ! -d 127.0.0.1/32 -j DROP
iptables -I OUTPUT -o lo ! -s 127.0.0.1/32 -j DROP


This happens even after a full factory reset. Is there something wrong with the rule or rule syntax? Router functions don't appear to be affected at all, but aside from loopback, what else can use that IP address? IFConfig only lists loopback interface for 127.0.0.1.

There are no dropped packets for INPUT:
Code:
iptables -I INPUT -i lo ! -d 127.0.0.1/32 -j DROP
iptables -I INPUT -i lo ! -s 127.0.0.1/32 -j DROP


Only OUTPUT shows dropped packets.
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Thu Jun 02, 2022 6:47    Post subject: Reply with quote
127.0.0.1/32 is all adresses 127.0.0.x
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Thu Jun 02, 2022 11:52    Post subject: Reply with quote
127.0.0.1/32 is exclusively 127.0.0.1 and only 127.0.0.1. The "/32" signifies 255.255.255.255 subnet mask, which is host-only. There is no range - https://www.calculator.net/ip-subnet-calculator.html.

My rule is supposed to make sure that no interface, except for loopback, can use IP 127.0.0.1. If my syntax is correct, then there shouldn't be dropped packets from loopback. Such dropped packets can only be coming from/to non-loopback interface that uses IP 127.0.0.1, but non-loopback interface for such IP doesn't exist...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Jun 02, 2022 15:59    Post subject: Reply with quote
Use tcpdump to see what is going on.

But your device actually answers to more than 127.0.0.1.
Ping 127.0.0.2 and you see that that is answered

For IPv4, the loopback interface is assigned all the IPs in the 127.0.0.0/8 address block. That is, 127.0.0.1 through 127.255.255.254 all represent your computer. For most purposes, though, it is only necessary to use one IP address, and that is 127.0.0.1. This IP has the hostname of localhost mapped to it.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Jun 02, 2022 17:03    Post subject: Reply with quote
Per Yngve Berg wrote:
127.0.0.1/32 is all adresses 127.0.0.x


No, that would be 127.0.0.1/24; for 127.x.x.x it would be /8. I'm shocked that you were in error here, PYB!

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum