Hi

Could one of you kind people who know tell me - and other readers - if it is safe practice to let all local-host to local-host connections happen ? I know that most illicit connections happen through already open ports, but what is good practice ?

specifically, is it dangerous to do :

# tcp OUT table
iptables -A tcp_out -p tcp -d $LOCALHOST_IP -j ACCEPT

instead of :

#iptables -A tcp_out -p tcp -dport $MYSQL_PORT -d $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_out -p tcp -dport $DICT_PORT -d $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_out -p tcp -dport $XFS_PORT -d $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_out -p udp -dport $XFS_PORT -d $LOCALHOST_IP -j ACCEPT
:
:

and likewise :

# tcp IN table
iptables -A tcp_in -p tcp -s $LOCALHOST_IP -j ACCEPT

instead of :

#iptables -A tcp_in -p tcp -sport $MYSQL_PORT -s $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_in -p tcp -sport $DICT_PORT -s $LOCALHOST_IP -j ACCEPT
#iptables -A tcp_in -p tcp -sport $XFS_PORT -s $LOCALHOST_IP -j ACCEPT
:
:
:

and, just asking for completeness, what about :

iptables -A non_tcp_in -p icmp -s $LOCALHOST_IP -j ACCEPT

hey u can allow the local host but make sure that they are from the inside n\w
because there are some cases that ip address is of inside hosts
but they come from outside n\w

Use the local interface rather (or in addition to) than the localhost ip, since as stated above, packets can be spoofed from external hosts to look like they are from the loopback address.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.