Put the logging rule ahead of a reject one like this:
Code:
iptables -A INPUT -j LOG
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
and put them both at the bottom of the INPUT chain.
Or you can use DROP rather than REJECT to drop the packets on the floor. REJECT informs the source of the packets that they are being ignored.
Do you already have these rules implemented somewhere? If so, run
Code:
sudo iptables -L -nv
and see how many packets have hit the rules for 127.0.0.0/8. I bet the number is zero. There's literally no reason to block any traffic to the localhost interface, and doing so can interfere with the operation of some programs. For instance, Ubuntu since 18.04 with systemd-resolved accepts DNS queries at the address 127.0.0.53. You don't want to block that.
Bookmarks