blob: e84f3662fe9d5ec09f10f200215c2af96fc4cd2b [file] [log] [blame]
# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Set iptables policies and add rules"
author ""
start on starting network-services
iptables -P INPUT DROP -w
iptables -P FORWARD DROP -w
iptables -P OUTPUT DROP -w
# Accept everything on the loopback
iptables -I INPUT -i lo -j ACCEPT -w
iptables -I OUTPUT -o lo -j ACCEPT -w
# Accept return traffic inbound
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -w
# Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel)
iptables -A INPUT -p icmp -j ACCEPT -w
# Accept new and return traffic outbound
iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -w
# Accept inbound mDNS traffic
iptables -A INPUT -p udp --destination --dport 5353 -j ACCEPT -w
# Accept inbound SSDP traffic
iptables -A INPUT -p udp --destination --dport 1900 -j ACCEPT -w
# netfilter-queue-helper is used for Linux < 3.12.
# For Linux >= 3.12, conntrackd.conf is used instead.
if [ -e /usr/sbin/netfilter-queue-helper ]; then
. /usr/sbin/netfilter-common
# Filter outgoing SSDP traffic for the DIAL protocol through a user-space
# filter (netfilter-queue-helper) which will open up a port for reply
# traffic.
iptables -I OUTPUT -p udp --destination --dport 1900 \
# Ditto for outbound mDNS legacy unicast replies (source port != 5353).
iptables -I OUTPUT -p udp --destination --dport 5353 \
# Send incoming UDP traffic (which has not passed any other rules) to the
# user-space filter to test whether it was a reply to outgoing DIAL protocol
# traffic.
iptables -A INPUT -p udp -j NFQUEUE \
} 2>&1 | logger --priority -t ${UPSTART_JOB}
end script