| # Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Set iptables IPv6 policies and add rules" |
| author "chromium-os-dev@chromium.org" |
| |
| # We must run eventually even if the UI doesn't come up correctly. |
| start on starting failsafe |
| |
| script |
| ip6tables -P INPUT DROP |
| ip6tables -P FORWARD DROP |
| ip6tables -P OUTPUT DROP |
| |
| # Accept everything on the loopback |
| ip6tables -I INPUT -i lo -j ACCEPT |
| ip6tables -I OUTPUT -o lo -j ACCEPT |
| |
| # Accept return traffic inbound |
| ip6tables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| |
| # Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel) |
| ip6tables -A INPUT -p ipv6-icmp -j ACCEPT |
| |
| # Allow all outbound ICMPv6 traffic. This is important for things like |
| # neighbor discovery and address negotiation. |
| ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT |
| |
| # Accept new and return traffic outbound |
| ip6tables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
| end script |
