Permalink
Browse files

Explicitly allow inbound traffic on FORWARD chain

Nested warden forwards both inbound and outbound traffic on interfaces
that match the "w-+" wildcard. This means that inbound traffic is
dropped by default. This change makes sure that traffic that comes in
via the default outbound interface is always allowed.
  • Loading branch information...
1 parent e932f25 commit b1cb5f393c9ccfe7a46cabc2117dc8126e24fb77 David Sabeti and Pieter Noordhuis committed Apr 5, 2013
Showing with 6 additions and 1 deletion.
  1. +5 −0 warden/root/linux/net.sh
  2. +1 −1 warden/root/linux/skeleton/net.sh
View
@@ -100,7 +100,12 @@ function setup_filter() {
iptables -A ${filter_default_chain} --destination "$n" --jump DROP
done
+ # Forward outbound traffic via ${filter_forward_chain}
iptables -A FORWARD -i w-+ --jump ${filter_forward_chain}
+
+ # Forward inbound traffic immediately
+ default_interface=$(ip route show | grep default | cut -d' ' -f5 | head -1)
+ iptables -I ${filter_forward_chain} -i $default_interface --jump ACCEPT
}
function teardown_nat() {
@@ -38,7 +38,7 @@ function setup_filter() {
--goto ${filter_default_chain}
# Bind instance chain to forward chain
- iptables -I ${filter_forward_chain} \
+ iptables -I ${filter_forward_chain} 2 \
--in-interface ${network_host_iface} \
--goto ${filter_instance_chain}
}

0 comments on commit b1cb5f3

Please sign in to comment.