chromeos-base/chromeos-firewall-init/files/iptables.conf - third_party/overlays/chromiumos-overlay - Git at Google

 # Copyright 2011 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Set iptables policies and add rules"
 author          "chromium-os-dev@chromium.org"

 start on starting network-services
 task

 script
 {
   iptables -P INPUT DROP -w
   iptables -P FORWARD DROP -w
   iptables -P OUTPUT DROP -w

   # Accept everything on the loopback
   iptables -I INPUT -i lo -j ACCEPT -w
   iptables -I OUTPUT -o lo -j ACCEPT -w

   # Accept return traffic inbound
   iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -w

   # Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel)
   iptables -A INPUT -p icmp -j ACCEPT -w

   # Accept new and return traffic outbound
   iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -w

   # Accept inbound mDNS traffic
   iptables -A INPUT -p udp --destination 224.0.0.251 --dport 5353 -j ACCEPT -w

   # Accept inbound SSDP traffic
   iptables -A INPUT -p udp --destination 239.255.255.250 --dport 1900 -j ACCEPT -w

   # netfilter-queue-helper is used for Linux < 3.12.
   # For Linux >= 3.12, conntrackd.conf is used instead.
   if [ -e /usr/sbin/netfilter-queue-helper ]; then
     . /usr/sbin/netfilter-common

     # Filter outgoing SSDP traffic for the DIAL protocol through a user-space
     # filter (netfilter-queue-helper) which will open up a port for reply
     # traffic.
     iptables -I OUTPUT -p udp --destination 239.255.255.250 --dport 1900 \
         -j NFQUEUE --queue-num ${NETFILTER_OUTPUT_NFQUEUE} -w

     # Ditto for outbound mDNS legacy unicast replies (source port != 5353).
     iptables -I OUTPUT -p udp --destination 224.0.0.251 --dport 5353 \
         -j NFQUEUE --queue-num ${NETFILTER_OUTPUT_NFQUEUE} -w

     # Send incoming UDP traffic (which has not passed any other rules) to the
     # user-space filter to test whether it was a reply to outgoing DIAL protocol
     # traffic.
     iptables -A INPUT -p udp -j NFQUEUE \
         --queue-num ${NETFILTER_INPUT_NFQUEUE} -w
   fi
 } 2>&1 | logger --priority daemon.info -t ${UPSTART_JOB}
 end script
	# Copyright 2011 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Set iptables policies and add rules"
	author "chromium-os-dev@chromium.org"

	start on starting network-services
	task

	script
	{
	iptables -P INPUT DROP -w
	iptables -P FORWARD DROP -w
	iptables -P OUTPUT DROP -w

	# Accept everything on the loopback
	iptables -I INPUT -i lo -j ACCEPT -w
	iptables -I OUTPUT -o lo -j ACCEPT -w

	# Accept return traffic inbound
	iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -w

	# Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel)
	iptables -A INPUT -p icmp -j ACCEPT -w

	# Accept new and return traffic outbound
	iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -w

	# Accept inbound mDNS traffic
	iptables -A INPUT -p udp --destination 224.0.0.251 --dport 5353 -j ACCEPT -w

	# Accept inbound SSDP traffic
	iptables -A INPUT -p udp --destination 239.255.255.250 --dport 1900 -j ACCEPT -w

	# netfilter-queue-helper is used for Linux < 3.12.
	# For Linux >= 3.12, conntrackd.conf is used instead.
	if [ -e /usr/sbin/netfilter-queue-helper ]; then
	. /usr/sbin/netfilter-common

	# Filter outgoing SSDP traffic for the DIAL protocol through a user-space
	# filter (netfilter-queue-helper) which will open up a port for reply
	# traffic.
	iptables -I OUTPUT -p udp --destination 239.255.255.250 --dport 1900 \
	-j NFQUEUE --queue-num ${NETFILTER_OUTPUT_NFQUEUE} -w

	# Ditto for outbound mDNS legacy unicast replies (source port != 5353).
	iptables -I OUTPUT -p udp --destination 224.0.0.251 --dport 5353 \
	-j NFQUEUE --queue-num ${NETFILTER_OUTPUT_NFQUEUE} -w

	# Send incoming UDP traffic (which has not passed any other rules) to the
	# user-space filter to test whether it was a reply to outgoing DIAL protocol
	# traffic.
	iptables -A INPUT -p udp -j NFQUEUE \
	--queue-num ${NETFILTER_INPUT_NFQUEUE} -w
	fi
	} 2>&1 \| logger --priority daemon.info -t ${UPSTART_JOB}
	end script