diff mbox series

[03/11] firewall: Log and drop spoofed loopback packets

Message ID 2ab43082-5d2d-d4bf-eba1-c78dede9b8b7@ipfire.org
State Accepted
Commit a36cd34eac2d1624720eb86e2f3c6985ae184e20
Headers
Series firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection |

Commit Message

Peter Müller 18 Dec 2021, 1:48 p.m. UTC 
  Traffic from and to 127.0.0.0/8 must only appear on the loopback
interface, never on any other interface. This ensures offending packets
are logged, and the loopback interface cannot be abused for processing
traffic from and to any other networks.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/firewall | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

Comments

Michael Tremer 7 Jan 2022, 5:01 p.m. UTC | #1 
Hello,

> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Traffic from and to 127.0.0.0/8 must only appear on the loopback
> interface, never on any other interface. This ensures offending packets
> are logged, and the loopback interface cannot be abused for processing
> traffic from and to any other networks.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> src/initscripts/system/firewall | 24 ++++++++++++++++++------
> 1 file changed, 18 insertions(+), 6 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index cc5baa292..1c62c6e2c 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -80,6 +80,14 @@ iptables_init() {
> 	fi
> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
> 
> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
> +	# on interfaces where we don't expect them
> +	iptables -N SPOOFED_MARTIAN
> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then

DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?

You will always drop any packets sent to this chain, but you won’t always log them.

Is this what you intended?

> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
> +	fi
> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
> +
> 	# Chain to contain all the rules relating to bad TCP flags
> 	iptables -N BADTCP
> 
> @@ -177,14 +185,18 @@ iptables_init() {
> 	iptables -A INPUT -j ICMPINPUT
> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
> 
> -	# Accept everything on loopback
> +	# Accept everything on loopback if source/destination is loopback space...
> 	iptables -N LOOPBACK
> -	iptables -A LOOPBACK -i lo -j ACCEPT
> -	iptables -A LOOPBACK -o lo -j ACCEPT
> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
> +
> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
> 
> -	# Filter all packets with loopback addresses on non-loopback interfaces.
> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
> 
> 	for i in INPUT FORWARD OUTPUT; do
> 		iptables -A ${i} -j LOOPBACK
> -- 
> 2.26.2
Peter Müller 8 Jan 2022, 11:43 a.m. UTC | #2 
Hello Michael,

> You will always drop any packets sent to this chain, but you won’t always log them.
> 
> Is this what you intended?

yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
packets.

Should I update the misleading "DROP*" variables as well to keep things consistent?

Thanks, and best regards,
Peter Müller


> Hello,
> 
>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>> interface, never on any other interface. This ensures offending packets
>> are logged, and the loopback interface cannot be abused for processing
>> traffic from and to any other networks.
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index cc5baa292..1c62c6e2c 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -80,6 +80,14 @@ iptables_init() {
>> 	fi
>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>
>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>> +	# on interfaces where we don't expect them
>> +	iptables -N SPOOFED_MARTIAN
>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
> 
> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
> 
> You will always drop any packets sent to this chain, but you won’t always log them.
> 
> Is this what you intended?
> 
>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>> +	fi
>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>> +
>> 	# Chain to contain all the rules relating to bad TCP flags
>> 	iptables -N BADTCP
>>
>> @@ -177,14 +185,18 @@ iptables_init() {
>> 	iptables -A INPUT -j ICMPINPUT
>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>
>> -	# Accept everything on loopback
>> +	# Accept everything on loopback if source/destination is loopback space...
>> 	iptables -N LOOPBACK
>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>> +
>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>
>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>
>> 	for i in INPUT FORWARD OUTPUT; do
>> 		iptables -A ${i} -j LOOPBACK
>> -- 
>> 2.26.2
>
Michael Tremer 16 Jan 2022, 3:14 p.m. UTC | #3 
Hello,

> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
>> You will always drop any packets sent to this chain, but you won’t always log them.
>> 
>> Is this what you intended?
> 
> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
> packets.
> 
> Should I update the misleading "DROP*" variables as well to keep things consistent?

Yes. I would say so. I like things when they are tidy.

-Michael

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
>>> 
>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>> interface, never on any other interface. This ensures offending packets
>>> are logged, and the loopback interface cannot be abused for processing
>>> traffic from and to any other networks.
>>> 
>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>> ---
>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>> 
>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>> index cc5baa292..1c62c6e2c 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -80,6 +80,14 @@ iptables_init() {
>>> 	fi
>>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>> 
>>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>>> +	# on interfaces where we don't expect them
>>> +	iptables -N SPOOFED_MARTIAN
>>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>> 
>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>> 
>> You will always drop any packets sent to this chain, but you won’t always log them.
>> 
>> Is this what you intended?
>> 
>>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>>> +	fi
>>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>> +
>>> 	# Chain to contain all the rules relating to bad TCP flags
>>> 	iptables -N BADTCP
>>> 
>>> @@ -177,14 +185,18 @@ iptables_init() {
>>> 	iptables -A INPUT -j ICMPINPUT
>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>> 
>>> -	# Accept everything on loopback
>>> +	# Accept everything on loopback if source/destination is loopback space...
>>> 	iptables -N LOOPBACK
>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>> +
>>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>> 
>>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>> 
>>> 	for i in INPUT FORWARD OUTPUT; do
>>> 		iptables -A ${i} -j LOOPBACK
>>> -- 
>>> 2.26.2
>>
Peter Müller 18 Jan 2022, 9:22 p.m. UTC | #4 
Hello Michael,

thanks for your reply.

Since I already put that patchset into my temporary development branch for Core Update 164,
I will work on a dedicated patch for renaming the variables instead of reverting these and
submit a second version of the patchset.

Thanks, and best regards,
Peter Müller


> Hello,
> 
>> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Hello Michael,
>>
>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>
>>> Is this what you intended?
>>
>> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
>> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
>> packets.
>>
>> Should I update the misleading "DROP*" variables as well to keep things consistent?
> 
> Yes. I would say so. I like things when they are tidy.
> 
> -Michael
> 
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> Hello,
>>>
>>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>>
>>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>>> interface, never on any other interface. This ensures offending packets
>>>> are logged, and the loopback interface cannot be abused for processing
>>>> traffic from and to any other networks.
>>>>
>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>>> ---
>>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>>>
>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>> index cc5baa292..1c62c6e2c 100644
>>>> --- a/src/initscripts/system/firewall
>>>> +++ b/src/initscripts/system/firewall
>>>> @@ -80,6 +80,14 @@ iptables_init() {
>>>> 	fi
>>>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>>>
>>>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>>>> +	# on interfaces where we don't expect them
>>>> +	iptables -N SPOOFED_MARTIAN
>>>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>>>
>>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>>>
>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>
>>> Is this what you intended?
>>>
>>>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>>>> +	fi
>>>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>>> +
>>>> 	# Chain to contain all the rules relating to bad TCP flags
>>>> 	iptables -N BADTCP
>>>>
>>>> @@ -177,14 +185,18 @@ iptables_init() {
>>>> 	iptables -A INPUT -j ICMPINPUT
>>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>>>
>>>> -	# Accept everything on loopback
>>>> +	# Accept everything on loopback if source/destination is loopback space...
>>>> 	iptables -N LOOPBACK
>>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>>> +
>>>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>>>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>>>
>>>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>>>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>
>>>> 	for i in INPUT FORWARD OUTPUT; do
>>>> 		iptables -A ${i} -j LOOPBACK
>>>> -- 
>>>> 2.26.2
>>>
>
Michael Tremer 19 Jan 2022, 8:25 a.m. UTC | #5 
Agreed.

> On 18 Jan 2022, at 21:22, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply.
> 
> Since I already put that patchset into my temporary development branch for Core Update 164,
> I will work on a dedicated patch for renaming the variables instead of reverting these and
> submit a second version of the patchset.

Don’t merge prematurely :)

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>>> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller@ipfire.org> wrote:
>>> 
>>> Hello Michael,
>>> 
>>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>> 
>>>> Is this what you intended?
>>> 
>>> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
>>> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
>>> packets.
>>> 
>>> Should I update the misleading "DROP*" variables as well to keep things consistent?
>> 
>> Yes. I would say so. I like things when they are tidy.
>> 
>> -Michael
>> 
>>> 
>>> Thanks, and best regards,
>>> Peter Müller
>>> 
>>> 
>>>> Hello,
>>>> 
>>>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>>> 
>>>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>>>> interface, never on any other interface. This ensures offending packets
>>>>> are logged, and the loopback interface cannot be abused for processing
>>>>> traffic from and to any other networks.
>>>>> 
>>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>>>> ---
>>>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>>>> 
>>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>>> index cc5baa292..1c62c6e2c 100644
>>>>> --- a/src/initscripts/system/firewall
>>>>> +++ b/src/initscripts/system/firewall
>>>>> @@ -80,6 +80,14 @@ iptables_init() {
>>>>> 	fi
>>>>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>>>> 
>>>>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>>>>> +	# on interfaces where we don't expect them
>>>>> +	iptables -N SPOOFED_MARTIAN
>>>>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>>>> 
>>>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>>>> 
>>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>> 
>>>> Is this what you intended?
>>>> 
>>>>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>>>>> +	fi
>>>>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>>>> +
>>>>> 	# Chain to contain all the rules relating to bad TCP flags
>>>>> 	iptables -N BADTCP
>>>>> 
>>>>> @@ -177,14 +185,18 @@ iptables_init() {
>>>>> 	iptables -A INPUT -j ICMPINPUT
>>>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>>>> 
>>>>> -	# Accept everything on loopback
>>>>> +	# Accept everything on loopback if source/destination is loopback space...
>>>>> 	iptables -N LOOPBACK
>>>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>>>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>>>> +
>>>>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>>>>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>>>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>>>> 
>>>>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>>>>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>>>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>>>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>>>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>> 
>>>>> 	for i in INPUT FORWARD OUTPUT; do
>>>>> 		iptables -A ${i} -j LOOPBACK
>>>>> -- 
>>>>> 2.26.2
>>>> 
>>
diff mbox series

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index cc5baa292..1c62c6e2c 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -80,6 +80,14 @@  iptables_init() {
 	fi
 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
 
+	# Log and subsequently drop spoofed packets or "martians", arriving from sources
+	# on interfaces where we don't expect them
+	iptables -N SPOOFED_MARTIAN
+	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
+		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
+	fi
+	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
+
 	# Chain to contain all the rules relating to bad TCP flags
 	iptables -N BADTCP
 
@@ -177,14 +185,18 @@  iptables_init() {
 	iptables -A INPUT -j ICMPINPUT
 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
-	# Accept everything on loopback
+	# Accept everything on loopback if source/destination is loopback space...
 	iptables -N LOOPBACK
-	iptables -A LOOPBACK -i lo -j ACCEPT
-	iptables -A LOOPBACK -o lo -j ACCEPT
+	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
+	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
+
+	# ... and drop everything else on the loopback interface, since no other traffic should appear there
+	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
+	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
 
-	# Filter all packets with loopback addresses on non-loopback interfaces.
-	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
-	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
+	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
+	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
+	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
 
 	for i in INPUT FORWARD OUTPUT; do
 		iptables -A ${i} -j LOOPBACK