The Planet Forums > iptables anti-spoof protection

Full Version: iptables anti-spoof protection

The Planet Forums > Operating Systems > Red Hat Linux

ferret

Apr 29 2004, 11:04 AM

This is under Debian, but it shouldn't be too terribly different on Redhat.

The default iptables config doesn't allow you to ping ethernal IPs, internally. For example, if I ssh into the server, I can ping localhost, but not any of the server's IPs. I've spoken to a few people and they say this is the older method of anti-spoof protection, and there's better ways that will still let me access my IPs (For reference, I need to be able to use the IPs for a monitoring service)

Its been described to me that I need to setup IPtables to allow internal ips to ping external ips, if using an internal interface, but others continue to deny access. I don't know how to make this change to IPtables though, and I'd really rather not accidently shutdown all access to my server playing with it.

Any suggestions?

sean1121

Apr 29 2004, 11:52 AM

Check the rules for the loopback interface. I found that if you have these rules:

CODE

iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT

iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

you can't ping any of the ips on the server. If you change them to this:

CODE

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

then all of them respond.

Let me know if this helps, I don't use debian so I have no idea what the default firewall looks like.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.