| #!/system/bin/sh |
| # |
| # Set up default firewall rules. |
| |
| BINPATH=/system/bin |
| |
| # IPv4 only rules. |
| iptables_icmp_setup() { |
| ${BINPATH}/iptables -A INPUT -p icmp -j ACCEPT -w |
| } |
| |
| iptables_mdns_setup() { |
| ${BINPATH}/iptables -A INPUT -p udp --destination 224.0.0.251 --dport 5353 -j ACCEPT -w |
| } |
| |
| |
| # IPv6 only rules. |
| ip6tables_icmp_setup() { |
| ${BINPATH}/ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -w |
| |
| # Allow all outbound ICMPv6 traffic. This is important for things like |
| # neighbor discovery and address negotiation. |
| ${BINPATH}/ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT -w |
| } |
| |
| ip6tables_mdns_setup() { |
| ${BINPATH}/ip6tables -A INPUT -p udp --destination FF02::FB --dport 5353 -j ACCEPT -w |
| } |
| |
| |
| # Install all IPv4 and IPv6 rules. |
| for iptables in ip{,6}tables; do |
| iptables_bin=${BINPATH}/${iptables} |
| [ -x ${iptables_bin} ] || continue |
| |
| # Set default policy to DROP. |
| ${iptables_bin} -P INPUT DROP -w |
| ${iptables_bin} -P FORWARD DROP -w |
| ${iptables_bin} -P OUTPUT DROP -w |
| |
| # Accept everything on the loopback. |
| ${iptables_bin} -I INPUT -i lo -j ACCEPT -w |
| ${iptables_bin} -I OUTPUT -o lo -j ACCEPT -w |
| |
| # Accept return traffic inbound. |
| ${iptables_bin} -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -w |
| |
| # Accept icmp echo (NB: icmp echo ratelimiting is done by the kernel). |
| ${iptables}_icmp_setup |
| |
| # Accept new and return traffic outbound. |
| ${iptables_bin} -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -w |
| |
| # Accept inbound mDNS traffic. |
| ${iptables}_mdns_setup |
| |
| # Accept DHCP traffic (communicating as either client or server). |
| ${iptables_bin} -I INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT -w |
| ${iptables_bin} -I OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT -w |
| done |
| |
| |
| # Set completion property. |
| setprop firewall.init 1 |
