2021-05-25 04:12:28 +02:00
|
|
|
# This file was auto-generated by Puppet. Do not edit by hand.
|
|
|
|
|
2024-01-08 21:24:09 +01:00
|
|
|
# The raw table is used to disable connection tracking for DNS
|
|
|
|
# traffic, so it works even when the conntrack table fills.
|
|
|
|
*raw
|
|
|
|
:PREROUTING ACCEPT [0:0]
|
|
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
-A PREROUTING -p udp -m udp --dport 53 -j CT --notrack
|
|
|
|
-A PREROUTING -p udp -m udp --sport 53 -j CT --notrack
|
|
|
|
-A OUTPUT -p udp -m udp --dport 53 -j CT --notrack
|
|
|
|
-A OUTPUT -p udp -m udp --sport 53 -j CT --notrack
|
|
|
|
COMMIT
|
|
|
|
|
|
|
|
|
|
|
|
*filter
|
2021-05-25 04:12:28 +02:00
|
|
|
# Allow all outbound traffic
|
|
|
|
-A OUTPUT -j ACCEPT
|
|
|
|
|
|
|
|
# Accept all loopback traffic
|
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
|
|
|
|
# Drop all traffic to loopback IPs on other interfaces
|
2023-08-30 17:15:20 +02:00
|
|
|
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
|
2021-05-25 04:12:28 +02:00
|
|
|
|
2024-01-08 21:24:09 +01:00
|
|
|
# Accept incoming traffic related to established connections, or the
|
|
|
|
# untracked port-53-UDP set up above. See iptables-extensions(8) for
|
|
|
|
# the --state flag. This drops INVALID and NEW states.
|
|
|
|
-A INPUT -m state --state ESTABLISHED,RELATED,UNTRACKED -j ACCEPT
|
2021-05-25 04:12:28 +02:00
|
|
|
|
|
|
|
# Host-specific rules follow:
|