0

I am trying to allow connections between softwares running on the same machine in iptables.

The following kill my internet connectivity:

# The following rules doesn't allow the VPN connection to be established
#-A INPUT -i lo -o lo -j ACCEPT

The following works instead:

# The following rules work and make RStudio works
-A INPUT -s 127.0.0.1/24 -d 127.0.0.1/24 -j ACCEPT

What is the difference between the lo interface and the 127.0.0.1 IP address?

robertspierre
  • 101
  • 1

1 Answers1

0

The short answer is that the Linux kernel does some behind-the-scenes magic to expedite traffic when routing internally that bypasses iptables. I believe you can set the sysctl route_localnet property and force the traffic to "route" locally and it would then hit the iptables rules by interface, and not just by ip. If that doesn't work, try setting up a trace in the raw table and follow the packet's flow through all the chains & tables.

Also (on a side-note), when using the 127.0.0.0 network... the mask should actually be 127.0.0.0/8 not /24. There are some linux processes I've seen that use 127.100.0.1 and other strange addresses on the lo interface.

TheCompWiz
  • 7,349
  • 16
  • 23
  • So why the first command doesn't allow the VPN connection to be established? On the basis of what you write, it should have no effect at all since it is bypassed ... instead it has effect and it doesn't allow the VPN connection to be established. Assuming that 127.0.0.1 is assigned to the lo interface, what is the difference between the two? Thanks for pointing out the correct mask :) – robertspierre Mar 01 '21 at 22:33
  • I suspect you have more than 1 rule than just the one you listed... or possibly a "DROP" Policy set. More than likely, a different rule is matching and dropping the traffic. – TheCompWiz Mar 02 '21 at 16:13