| # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Set iptables policies and add rules" |
| author "chromium-os-dev@chromium.org" |
| |
| # We must run eventually even if the UI doesn't come up correctly, |
| # because the Open SSH server depends on us. |
| start on starting failsafe |
| |
| script |
| iptables -P INPUT DROP |
| iptables -P FORWARD DROP |
| iptables -P OUTPUT DROP |
| |
| # Accept everything on the loopback |
| iptables -I INPUT -i lo -j ACCEPT |
| iptables -I OUTPUT -o lo -j ACCEPT |
| |
| # Accept return traffic inbound |
| iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| |
| # Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel) |
| iptables -A INPUT -p icmp -j ACCEPT |
| |
| # Accept new and return traffic outbound |
| iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
| end script |