Explicitly allow inbound traffic on FORWARD chain

Nested warden forwards both inbound and outbound traffic on interfaces that match the "w-+" wildcard. This means that inbound traffic is dropped by default. This change makes sure that traffic that comes in via the default outbound interface is always allowed.
cloudfoundry-attic · Apr 5, 2013 · b1cb5f3 · b1cb5f3
1 parent e932f25
commit b1cb5f3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/warden/root/linux/net.sh b/warden/root/linux/net.sh
@@ -100,7 +100,12 @@ function setup_filter() {
     iptables -A ${filter_default_chain} --destination "$n" --jump DROP
   done
 
+  # Forward outbound traffic via ${filter_forward_chain}
   iptables -A FORWARD -i w-+ --jump ${filter_forward_chain}
+
+  # Forward inbound traffic immediately
+  default_interface=$(ip route show | grep default | cut -d' ' -f5 | head -1)
+  iptables -I ${filter_forward_chain} -i $default_interface --jump ACCEPT
 }
 
 function teardown_nat() {

diff --git a/warden/root/linux/skeleton/net.sh b/warden/root/linux/skeleton/net.sh
@@ -38,7 +38,7 @@ function setup_filter() {
     --goto ${filter_default_chain}
 
   # Bind instance chain to forward chain
-  iptables -I ${filter_forward_chain} \
+  iptables -I ${filter_forward_chain} 2 \
     --in-interface ${network_host_iface} \
     --goto ${filter_instance_chain}
 }