# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

description     "Set iptables policies and add rules"
author          "chromium-os-dev@chromium.org"

start on starting shill
task

script
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT DROP

  # Accept everything on the loopback
  iptables -I INPUT -i lo -j ACCEPT
  iptables -I OUTPUT -o lo -j ACCEPT

  # Accept return traffic inbound
  iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel)
  iptables -A INPUT -p icmp -j ACCEPT

  # Accept new and return traffic outbound
  iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

  # Accept inbound mDNS traffic
  iptables -A INPUT -p udp --destination 224.0.0.251 --dport 5353 -j ACCEPT

  . /usr/sbin/netfilter-common
  # Filter outgoing traffic to the DIAL protocol through a user-space filter
  # which will open up a port for reply traffic.
  iptables -I OUTPUT -p udp --destination 239.255.255.250 --dport 1900 \
      -j NFQUEUE --queue-num ${NETFILTER_OUTPUT_NFQUEUE}

  # Send incoming UDP traffic (which has not passed any other rules) to the
  # user-space filter to test whether it was a reply to outgoing DIAL protocol
  # traffic.
  iptables -A INPUT -p udp -j NFQUEUE --queue-num ${NETFILTER_INPUT_NFQUEUE}
end script