| # Copyright 2011 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Set iptables IPv6 policies and add rules" |
| author "chromium-os-dev@chromium.org" |
| |
| oom score never |
| |
| start on starting network-services |
| task |
| |
| script |
| { |
| ip6tables -P INPUT DROP -w |
| ip6tables -P FORWARD DROP -w |
| ip6tables -P OUTPUT DROP -w |
| |
| # Accept everything on the loopback |
| ip6tables -I INPUT -i lo -j ACCEPT -w |
| ip6tables -I OUTPUT -o lo -j ACCEPT -w |
| |
| # Accept return traffic inbound |
| ip6tables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -w |
| |
| # Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel) |
| ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -w |
| |
| # Allow outbound ICMPv6 traffic. This is important for things like neighbor |
| # discovery and address negotiation. Address unreachable is an exception |
| # that we want to avoid sending as that could be triggered by legitimate |
| # traffic sent from upstream to guest |
| ip6tables -A OUTPUT -p ipv6-icmp --icmpv6-type destination-unreachable -j DROP -w |
| ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT -w |
| |
| # Accept new and return traffic outbound |
| ip6tables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -w |
| |
| # Accept inbound mDNS traffic |
| ip6tables -A INPUT -p udp --destination FF02::FB --dport 5353 -j ACCEPT -w |
| } 2>&1 | logger --priority daemon.info -t ${UPSTART_JOB} |
| end script |
