Could one of you kind people who know tell me - and other readers - if it is safe practice to let all local-host to local-host connections happen ? I know that most illicit connections happen through already open ports, but what is good practice ?

specifically, is it dangerous to do :

# tcp OUT table
iptables -A tcp_out -p tcp -d $LOCALHOST_IP -j ACCEPT

instead of :

#iptables -A tcp_out -p tcp -dport $MYSQL_PORT -d $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_out -p tcp -dport $DICT_PORT -d $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_out -p tcp -dport $XFS_PORT -d $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_out -p udp -dport $XFS_PORT -d $LOCALHOST_IP -j ACCEPT

and likewise :

# tcp IN table
iptables -A tcp_in -p tcp -s $LOCALHOST_IP -j ACCEPT

instead of :

#iptables -A tcp_in -p tcp -sport $MYSQL_PORT -s $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_in -p tcp -sport $DICT_PORT -s $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_in -p tcp -sport $XFS_PORT -s $LOCALHOST_IP -j ACCEPT

and, just asking for completeness, what about :

iptables -A non_tcp_in -p icmp -s $LOCALHOST_IP -j ACCEPT

9 Years
Discussion Span
Last Post by Darkflib

hey u can allow the local host but make sure that they are from the inside n\w
because there are some cases that ip address is of inside hosts
but they come from outside n\w


Use the local interface rather (or in addition to) than the localhost ip, since as stated above, packets can be spoofed from external hosts to look like they are from the loopback address.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.