[pkg-netfilter-team] Bug#949172: iptables: -A INPUT -i lo -j ACCEPT opens all ports
Anzulo
no-reply at coolhost.at
Fri Jan 17 18:29:07 GMT 2020
Package: iptables
Version: 1.8.3-2~bpo10+1
Severity: normal
Dear Maintainer,
have a strange problem with iptables and my loopback interface.
ifconfig says:
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
for both ipv6 and ipv4 rules, i use this:
-A INPUT -i lo -j ACCEPT
For ipv6 it works fine:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all ::/0 ::/0 state RELATED,ESTABLISHED
ACCEPT all ::1 ::1
but for ipv4, it opens all ports:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
the desired solution is archived by:
-A INPUT -s 127.0.0.1 --dst 127.0.0.1 -i lo -j ACCEPT
But why is binding the rule to the interface lo not working for ipv4, but for ipv6 flawlessly?
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iptables depends on:
ii libc6 2.28-10
ii libip4tc2 1.8.3-2~bpo10+1
ii libip6tc2 1.8.3-2~bpo10+1
ii libiptc0 1.8.3-2~bpo10+1
ii libmnl0 1.0.4-2
ii libnetfilter-conntrack3 1.0.7-1
ii libnfnetlink0 1.0.1-3+b1
ii libnftnl11 1.1.4-1~bpo10+1
ii libxtables12 1.8.3-2~bpo10+1
Versions of packages iptables recommends:
ii nftables 0.9.0-2
Versions of packages iptables suggests:
ii kmod 26-1
-- no debconf information
More information about the pkg-netfilter-team
mailing list