iptables –src-type LOCAL: Comprehensive Explanation of Local Address Matching Rules for Network Filtering


2 views

In iptables, the --src-type LOCAL match is more nuanced than simply matching 127.0.0.0/8 addresses. This match actually refers to all addresses that are considered "local" to the host system, which includes:

# List of address ranges matched by --src-type LOCAL
127.0.0.0/8    (localhost)
192.168.0.0/16 (private network)
10.0.0.0/8     (private network)
172.16.0.0/12  (private network)
169.254.0.0/16 (link-local)
::1/128        (IPv6 localhost)
fc00::/7       (IPv6 private network)
fe80::/10      (IPv6 link-local)

Here are some common use cases for --src-type LOCAL:

# Block external access to local services
iptables -A INPUT -p tcp --dport 22 ! --src-type LOCAL -j DROP

# Allow only local traffic to Redis
iptables -A INPUT -p tcp --dport 6379 --src-type LOCAL -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

# Permit local traffic while logging external attempts
iptables -A INPUT --src-type LOCAL -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: "

Many administrators mistakenly believe --src-type LOCAL is identical to --src 127.0.0.0/8, but there are key differences:

# This matches ONLY 127.0.0.0/8 addresses
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT

# This matches ALL local addresses (including private networks)
iptables -A INPUT --src-type LOCAL -j ACCEPT

The actual matching is handled by the kernel's xt_addrtype module. You can verify if it's loaded with:

lsmod | grep xt_addrtype

If not loaded, you'll need to load it first:

modprobe xt_addrtype

When --src-type LOCAL doesn't work as expected:

  1. Check if the xt_addrtype module is loaded
  2. Verify your address is considered local (use ip addr show)
  3. Test with specific IP ranges first
# Diagnostic command to test address classification
iptables -A INPUT --src-type LOCAL -j LOG --log-prefix "LOCAL-TRAFFIC: "

In iptables, the --src-type LOCAL match extension filters packets based on whether their source address is considered "local" to the host. While the man page briefly mentions this matches "a local address," the actual implementation is more nuanced.

Examining the Linux kernel source (particularly xt_addrtype.c), we find that LOCAL matches addresses that:

1. Belong to any local network interface (including 127.0.0.0/8)
2. Are in 0.0.0.0/8 (historical "this network" addresses)
3. Are multicast addresses (224.0.0.0/4)
4. Are broadcast addresses (255.255.255.255)
5. Are in the link-local range (169.254.0.0/16)

Many admins incorrectly assume LOCAL only refers to loopback addresses. Let's demonstrate with concrete rules:

# This matches ALL local addresses (including 192.168.1.100 if configured on an interface)
iptables -A INPUT -m addrtype --src-type LOCAL -j LOG --log-prefix "Local traffic: "

# This matches ONLY loopback traffic
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT

The --src-type LOCAL is particularly useful when:

  • You need dynamic matching without hardcoding interface addresses
  • Working with containers/VMs where IPs may change
  • Creating firewall rules that should apply to all local traffic generically

While convenient, --src-type matching requires additional kernel processing. For high-performance systems, consider:

# More efficient alternative for known static IPs
iptables -A INPUT -s 192.168.1.0/24,10.0.0.0/8 -j ACCEPT

# Combine with conntrack for stateful filtering
iptables -A INPUT -m addrtype --src-type LOCAL -m conntrack --ctstate ESTABLISHED -j ACCEPT

The IPv6 equivalent (ip6tables) treats LOCAL as:

  • ::1/128 (IPv6 loopback)
  • fe80::/10 (link-local)
  • Any address assigned to local interfaces