Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'ticket_42'

Browse Source
This commit is contained in:
Joanna Rutkowska 2010-06-11 17:02:42 +02:00
commit 25a51566e4
3 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
common/qubes_setup_dnat_to_ns
View File

@ -2,19 +2,23 @@
addrule() addrule()
{ {
if [ $FIRSTONE = yes ] ; then if [ $FIRSTONE = yes ] ; then
NS=$NS1
FIRSTONE=no FIRSTONE=no
RULE1="-A PREROUTING -d $NS1 -p udp --dport 53 -j DNAT --to $1"
else else
RULE2="-A PREROUTING -d $NS2 -p udp --dport 53 -j DNAT --to $1"
NS=$NS2 NS=$NS2
fi fi
iptables -A PREROUTING -t nat -d $NS -p udp --dport 53 -j DNAT \
--to "$1"
} }
export PATH=$PATH:/sbin:/bin export PATH=$PATH:/sbin:/bin
source /var/run/qubes_ns source /var/run/qubes_ns
if [ "X"$NS1 = "X" ] ; then exit ; fi if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PREROUTING iptables -t nat -F PREROUTING
FIRSTONE=yes FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | head -2 | while read x y z ; do grep ^nameserver /etc/resolv.conf | head -2 |
addrule "$y" (
done while read x y z ; do
addrule "$y"
done
(echo "*nat"; echo $RULE1; echo $RULE2; echo COMMIT) | iptables-restore -n
)

16
netvm/iptables
View File

@ -1,13 +1,15 @@
# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010 # Generated by iptables-save v1.4.5 on Fri Jun 4 07:17:12 2010
*nat *nat
:PREROUTING ACCEPT [2:362] :PREROUTING ACCEPT [8:818]
:POSTROUTING ACCEPT [4:228] :POSTROUTING ACCEPT [1:84]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A POSTROUTING -o br+ -j ACCEPT
-A POSTROUTING -j MASQUERADE
COMMIT COMMIT
# Completed on Thu May 20 06:02:32 2010 # Completed on Fri Jun 4 07:17:12 2010
# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010 # Generated by iptables-save v1.4.5 on Fri Jun 4 07:17:12 2010
*filter *filter
:INPUT ACCEPT [3:84] :INPUT ACCEPT [168:4704]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP -A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
@ -17,4 +19,4 @@ COMMIT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP -A FORWARD -j DROP
COMMIT COMMIT
# Completed on Thu May 20 06:02:32 2010 # Completed on Fri Jun 4 07:17:12 2010

3
netvm/qubes_core
View File

@ -35,8 +35,7 @@ start()
#now done by iptables rc script #now done by iptables rc script
# iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE # iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE
#no, we cannot put ip-dependent stuff in sysconfig/iptables #no, we cannot put ip-dependent stuff in sysconfig/iptables
iptables -t nat -A POSTROUTING -s $network/$netmask -d 224.0.0.0/8 -j ACCEPT #so make it ip-independent
iptables -t nat -A POSTROUTING -s $network/$netmask \! -d $network/$netmask -j MASQUERADE
success success
echo "" echo ""
return 0 return 0