# This file was auto-generated by Puppet.  Do not edit by hand.

# The raw table is used to disable connection tracking for DNS
# traffic, so it works even when the conntrack table fills.
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 53 -j CT --notrack
-A PREROUTING -p udp -m udp --sport 53 -j CT --notrack
-A OUTPUT -p udp -m udp --dport 53 -j CT --notrack
-A OUTPUT -p udp -m udp --sport 53 -j CT --notrack
COMMIT


*filter
# Allow all outbound traffic
-A OUTPUT -j ACCEPT

# Accept all loopback traffic
-A INPUT -i lo -j ACCEPT

# Drop all traffic to loopback IPs on other interfaces
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP

# Accept incoming traffic related to established connections, or the
# untracked port-53-UDP set up above.  See iptables-extensions(8) for
# the --state flag.  This drops INVALID and NEW states.
-A INPUT -m state --state ESTABLISHED,RELATED,UNTRACKED -j ACCEPT

# Host-specific rules follow: