7

I have seen countless examples of this rule in iptables:

-A INPUT -i lo -j ACCEPT

I thought lo means localhost (a.k.a. 127.0.0.1), but when I commented it out, I can't access the server using its private ip address 192.168.1.3, which means it is more than just localhost.

Further, does this rule refers to the source ip, destination ip, or both. Meaning, if I were to spoof a source coming from 127.0.0.1, would it be accepted?

I tried looking in the man page but could not find an answer to this. It would be helpful if someone can point to me in the right direction.

Question Overflow
  • 4,568
  • 19
  • 57
  • 84

1 Answers1

10

The -i option of iptables takes an interface name.

You can use ifconfig or ip addr to list all available interfaces and their configuration.

Usually there is one interface called lo which is configured for 127.0.0.1/8, i.e. all ip-addresses starting with 127. When used as a destination the interface simply delivers the data to the same host.

In your case the -i refers to the input interface. The rule matches all traffic originating at the local host no matter which destination.

If you remove it (and don't allow such traffic in another rule) local software is no longer able to talk to any other host.

michas
  • 21,190
  • 4
  • 63
  • 93
  • Can you clarify what it means by `configured for 127.0.0.1/8`? Does that include spoofed source ip addresses like 127.0.0.1 originating from outside? – Question Overflow May 17 '14 at 06:57
  • 2
    Anything from outside will *not* arrive at `lo`. It will arrive at `eth0` or whatever you have. The assigned IP addresses are only used for local routing. I.e. if you want to talk to 127.0.0.1 the kernel will send that data to interface `lo` instead of sending it to your external network. – michas May 17 '14 at 07:02
  • Ah.. I see. That's really what I want to know. Thanks! – Question Overflow May 17 '14 at 07:49
  • @michas good answer +1. one comment: -i refers to the input _chain_ of the ip table in question (likely this is the default ip table 'filter'), not input _interface_ as said in the answer. see `man iptables` – user3804598 May 17 '20 at 08:18
  • @user3804598 No `-i` specifies the interface. Here (https://help.ubuntu.com/community/IptablesHowTo#Basic_Iptables_Options): *-i - Only match if the packet is coming in on the specified interface*. You were talking about upper case `-I`. Double check in `man iptables`: *-i, --in-interface name: Name of an interface via which a packet was received*. – BairDev Sep 02 '21 at 14:11