I would like to restrict outbound traffic to only localhost using iptables. I already have a default DROP policy on OUTPUT and a rule REJECTing all traffic. I need to add a rule above that in the OUTPUT chain.
I have seen a couple different examples for this type of rule, the most common being:
-A OUTPUT -o lo -j ACCEPT
and
-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
Is there any reason to use the latter rather than the former? Can packets on lo have an address other than 127.0.0.1?
Yes it can have other addresses. You can possibly see anything from
127.0.0.0/8in-use. On Debian/Ubuntu system addresses in the127.0.0.0/8range are used to deal with an Apache issue.Other addresses can also be assigned, but this is very rare.
If your machine has multiple interfaces, and you try to communicate with the IP on one of these other interfaces, the traffic will actually go over the
lointerface. Linux is smart enough to figure out this traffic is destined for itself, and not try to use the real interface.The rule
-A OUTPUT -o lo -j ACCEPTwill allow this other traffic, while the rule-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPTwould reject it..
You can see everything the kernel will route over the loopback interface by running
(just note the first value, which is either an IP or a network/mask)
That makes no sense; they achieve the same end. The default policy to DROP is sufficient.
The rule you're looking for is probably
But some more experience with iptables will (hopefully) teach you not to do that; use input rules instead.