iptables: Create LOOPBACK chain.

This chain accepts all communication on the loopback
interface without running it through the entire connection
tracking first.

Packets on lo can never be blocked and must always be
accepted. The firewall has to trust itself anyway.

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 000d3252d87cbdbbe7663f863fd8121d1732e521..5d66c60b40b19e973fbc5040e3799d981b6868d0 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -116,15 +116,19 @@ iptables_init() {
        /sbin/iptables -A INPUT -j GUIINPUT
        /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
 
+       # Accept everything on loopback
+       /sbin/iptables -N LOOPBACK
+       /sbin/iptables -A LOOPBACK -i lo -j ACCEPT
+       /sbin/iptables -A LOOPBACK -o lo -j ACCEPT
+
+       /sbin/iptables -A INPUT  -j LOOPBACK
+       /sbin/iptables -A OUTPUT -j LOOPBACK
+
        # Accept everything connected
        for i in INPUT FORWARD OUTPUT; do
                /sbin/iptables -A ${i} -j CONNTRACK
        done
 
-       # Accept everything on lo
-       iptables -A INPUT  -i lo -m conntrack --ctstate NEW -j ACCEPT
-       iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
-       
        # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
        /sbin/iptables -N IPSECINPUT
        /sbin/iptables -N IPSECFORWARD