Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of git.qubes-os.org:/var/lib/qubes/git/marmarek/core

Browse Source
This commit is contained in:
Joanna Rutkowska 2011-04-06 10:40:51 +02:00
commit 102d5735e7
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/iptables
View File

@ -19,9 +19,9 @@ COMMIT
-A INPUT -p icmp -j ACCEPT -A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vif+ -o vif+ -j DROP -A FORWARD -i vif+ -o vif+ -j DROP
-A FORWARD -i vif+ -j ACCEPT -A FORWARD -i vif+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP -A FORWARD -j DROP
COMMIT COMMIT
# Completed on Mon Sep 6 08:57:46 2010 # Completed on Mon Sep 6 08:57:46 2010

4
dom0/qvm-core/qubes.py
View File

@ -1392,8 +1392,11 @@ class QubesProxyVm(QubesNetVm):
iptables += "-A INPUT -i lo -j ACCEPT\n" iptables += "-A INPUT -i lo -j ACCEPT\n"
iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n" iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"
iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
# Allow dom0 networking # Allow dom0 networking
iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n" iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n"
# Deny inter-VMs networking
iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n"
vms = [vm for vm in self.connected_vms.values()] vms = [vm for vm in self.connected_vms.values()]
for vm in vms: for vm in vms:
@ -1441,7 +1444,6 @@ class QubesProxyVm(QubesNetVm):
iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action) iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action)
iptables += "#End of VM rules\n" iptables += "#End of VM rules\n"
iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
iptables += "-A FORWARD -j DROP\n" iptables += "-A FORWARD -j DROP\n"
iptables += "COMMIT" iptables += "COMMIT"