webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-15 05:22:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

iptables: Create LOOPBACK chain.

Browse Source 
This chain accepts all communication on the loopback
interface without running it through the entire connection
tracking first.

Packets on lo can never be blocked and must always be
accepted. The firewall has to trust itself anyway.
This commit is contained in:
Michael Tremer
2013-07-08 15:21:04 +02:00
parent c0359d6dfb
commit afc611d448
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/initscripts/init.d/firewall
View File

@@ -116,15 +116,19 @@ iptables_init() {
/sbin/iptables -A INPUT -j GUIINPUT
/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
/sbin/iptables -N LOOPBACK
/sbin/iptables -A LOOPBACK -i lo -j ACCEPT
/sbin/iptables -A LOOPBACK -o lo -j ACCEPT
/sbin/iptables -A INPUT -j LOOPBACK
/sbin/iptables -A OUTPUT -j LOOPBACK
# Accept everything connected
for i in INPUT FORWARD OUTPUT; do
/sbin/iptables -A ${i} -j CONNTRACK
done
# Accept everything on lo
iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
/sbin/iptables -N IPSECFORWARD