| # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Set iptables policies and add rules" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started boot-services |
| |
| script |
| iptables -P INPUT DROP |
| iptables -P FORWARD DROP |
| iptables -P OUTPUT DROP |
| |
| # Accept everything on the loopback |
| iptables -I INPUT -i lo -j ACCEPT |
| iptables -I OUTPUT -o lo -j ACCEPT |
| |
| # Accept return traffic inbound |
| iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| |
| # Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel) |
| iptables -A INPUT -p icmp -j ACCEPT |
| |
| # Accept new and return traffic outbound |
| iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
| |
| # Accept inbound mDNS traffic |
| iptables -A INPUT -p udp --destination 224.0.0.251 --dport 5353 -j ACCEPT |
| |
| . /usr/sbin/netfilter-common |
| # Filter outgoing traffic to the DIAL protocol through a user-space filter |
| # which will open up a port for reply traffic. |
| iptables -I OUTPUT -p udp --destination 239.255.255.250 --dport 1900 \ |
| -j NFQUEUE --queue-num ${NETFILTER_OUTPUT_NFQUEUE} |
| |
| # Send incoming UDP traffic (which has not passed any other rules) to the |
| # user-space filter to test whether it was a reply to outgoing DIAL protocol |
| # traffic. |
| iptables -A INPUT -p udp -j NFQUEUE --queue-num ${NETFILTER_INPUT_NFQUEUE} |
| end script |
