From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 8 Jul 2013 13:21:04 +0000 (+0200)
Subject: iptables: Create LOOPBACK chain.
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=afc611d448aee8eaaefa018dfb6acd4c6d6227a1;hp=c0359d6dfbba1124c5b2da60bc56947e7f21769a

iptables: Create LOOPBACK chain.

This chain accepts all communication on the loopback
interface without running it through the entire connection
tracking first.

Packets on lo can never be blocked and must always be
accepted. The firewall has to trust itself anyway.
---

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 000d3252d..5d66c60b4 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -116,15 +116,19 @@ iptables_init() {
 	/sbin/iptables -A INPUT -j GUIINPUT
 	/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
 
+	# Accept everything on loopback
+	/sbin/iptables -N LOOPBACK
+	/sbin/iptables -A LOOPBACK -i lo -j ACCEPT
+	/sbin/iptables -A LOOPBACK -o lo -j ACCEPT
+
+	/sbin/iptables -A INPUT  -j LOOPBACK
+	/sbin/iptables -A OUTPUT -j LOOPBACK
+
 	# Accept everything connected
 	for i in INPUT FORWARD OUTPUT; do
 		/sbin/iptables -A ${i} -j CONNTRACK
 	done
 
-	# Accept everything on lo
-	iptables -A INPUT  -i lo -m conntrack --ctstate NEW -j ACCEPT
-	iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
-	
 	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
 	/sbin/iptables -N IPSECINPUT
 	/sbin/iptables -N IPSECFORWARD