6
sudo sysctl -w net.ipv4.conf.eth0.route_localnet=1

What are the security implications of route_localnet?

adrelanos
  • 680
  • 7
  • 21

3 Answers3

5

The documentation for this options shows the following:

route_localnet - BOOLEAN
    Do not consider loopback addresses as martian source or destination
    while routing. This enables the use of 127/8 for local routing purposes.
    default FALSE

In essence it tells the kernel not to treat local routing for as a danger and refuse it. As long as net.ipv4.ip_forward is 0 you shouldn't need to change route_localnet. In most cases you only need this when you do some PREROUTING and/or FORWARD with iptables.

The security risk is limited if this isn't on a public facing network interface and otherwise you want to make sure ingress and egress filtering is done correctly. This to reduce the effects of spoofed traffic.

hspaans
  • 346
  • 1
  • 5
2

I think the main implication is, that firewall rules (distribution or custom) which allow communication for 127/8 might no longer be effective Iff they fail to specify the ingress interface. If rules are specifically designed for it I would not see a big problem.

It is more of a compatibility and conformance problem if it is actually used on the wire (instead of virtual switch networks).

eckes
  • 962
  • 8
  • 19
2

One possible security implication of this settings is that, if a service listens on localhost as a security measure (i.e. it relies on 127.0.0.1 not being addressable by machines other than the one it's running on ), this could break that assumption, as other machines on the LAN could route traffic to 127.0.0.1 on this host.

An example and discussion of this issue in the context of Kubernetes (which currently sets this option) is here

Rory McCune
  • 60,923
  • 14
  • 136
  • 217