iptables rule for loopback interface lo

linux networking iptables

10,219

About your second question, give a try to this command:

iptables -L -v

-L is equivalent to --list and -v gives you a more verbose output and will display the interface concerned by your rule.

P.S. : I know it is a old post but this answer would helped me 2 days ago so ...

10,219

misteryes

Updated on September 18, 2022

Comments

misteryes over 1 year

I want to test some network performance, where I need to use a tcp client to connect to a tcp server program on the same host, so I used localhost(127.0.0.1) however, when the TCP SYN is sent, it get an RESET

12:04:27.550292 IP localhost.55047 > localhost.54000: Flags [S], seq 1451460422, win 43690, options [mss 65495,sackOK,TS val 2409691925 ecr 0,nop,wscale 7], length 0
12:04:27.550319 IP localhost.54000 > localhost.55047: Flags [R.], seq 0, ack 1451460423, win 0, length 0

I think the issue is the iptables rules.

from iptables-restore for INPUT, I have

    -A INPUT -i lo -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i em1 -p tcp -m tcp --dport 54000 -j ACCEPT
    -A INPUT -i em1 -p tcp -m tcp --dport 51000 -j ACCEPT
    -A INPUT -i em1 -p tcp -m tcp --dport 30000 -j ACCEPT
    -A INPUT -i em1 -p tcp -m tcp --dport 54001 -j ACCEPT
    -A INPUT -i em1 -p tcp -m tcp --dport 30001 -j ACCEPT
    -A INPUT -i em1 -p udp -m udp --dport 54000 -j ACCEPT
    -A INPUT -i em1 -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -i em1 -p udp -m udp --dport 5000 -j ACCEPT
    -A INPUT -j INPUT_direct
    -A INPUT -j INPUT_ZONES

the related line is

     -A INPUT -i lo -j ACCEPT

from iptables --list, I have

    in INPUT (policy DROP)
    target     prot opt source               destination 
    ACCEPT     all  --  anywhere             anywhere    
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ACCEPT     icmp --  anywhere             anywhere    
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:54000
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51000
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:30000
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:54001
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pago-services1
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:54000
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:commplex-main
    INPUT_direct  all  --  anywhere             anywhere

there is no network interface involved (BTW, for this line: ACCEPT all -- anywhere anywhere, what does it mean? it accept all protocol and all ports? )

so what can I modify to allow any traffic related to loopback interface lo? thanks!

misteryes almost 11 years

what does iptables --flush mean?
misteryes almost 11 years

and from iptables --list, why there is no network interface involved? what is the first line ACCEPT all -- anywhere anywhere mean?
jpaugh almost 11 years

iptables --flush deletes all tables. That makes your network completely unfiltered. (It's only temporary, and can be undone with iptable-restore.) Unless you've configured NAT, or something like that with iptables, then it should let your application work.
Gabe almost 11 years

Why do you think this is iptables? You'd need a "REJECT" rule, which you don't have, and the RST is what you'd get if nothing was actually listening on the port. Check that first (with netstat). That aside, absolutely all of your rules are ACCEPT; what makes you think that anything should ever be dropped/rejected?