Unify dom0 and netvm sysconfig/iptables

Plus: - dedicated chain for DNAT to nameservers - prevent intervm networking. Can be conveniently overriden in necessary cases by inserting ACCEPT clauses (per VM, probably) at the top of FORWARD
2010-09-06 15:10:01 +02:00 · 2010-09-06 15:10:01 +02:00 · 64e8013dc2
commit 64e8013dc2
parent 8317c2ca18
6 changed files with 32 additions and 52 deletions
--- a/common/iptables
+++ b/common/iptables
@ -0,0 +1,27 @@
+# Generated by iptables-save v1.4.5 on Mon Sep  6 08:57:46 2010
+*nat
+:PREROUTING ACCEPT [85:5912]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PR-QBS - [0:0]
+-A PREROUTING -j PR-QBS
+-A POSTROUTING -o vif+ -j ACCEPT
+-A POSTROUTING -j MASQUERADE
+COMMIT
+# Completed on Mon Sep  6 08:57:46 2010
+# Generated by iptables-save v1.4.5 on Mon Sep  6 08:57:46 2010
+*filter
+:INPUT ACCEPT [168:11399]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [128:12536]
+-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -i vif+ -o vif+ -j DROP
+-A FORWARD -i vif+ -j ACCEPT
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -j DROP
+COMMIT
+# Completed on Mon Sep  6 08:57:46 2010
--- a/common/qubes_setup_dnat_to_ns
+++ b/common/qubes_setup_dnat_to_ns
@ -3,16 +3,16 @@ addrule()
 {
        if [ $FIRSTONE = yes ] ; then
                FIRSTONE=no
-                RULE1="-A PREROUTING -d $NS1 -p udp --dport 53 -j DNAT --to $1"
+                RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1"
        else
-                RULE2="-A PREROUTING -d $NS2 -p udp --dport 53 -j DNAT --to $1"
+                RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1"
                NS=$NS2
        fi
 }
 export PATH=$PATH:/sbin:/bin
 source /var/run/qubes/qubes_ns
 if [ "X"$NS1 = "X" ] ; then exit ; fi
-iptables -t nat -F PREROUTING
+iptables -t nat -F PR-QBS
 FIRSTONE=yes
 grep ^nameserver /etc/resolv.conf | head -2 |
        (
--- a/dom0/init.d/iptables
+++ b/dom0/init.d/iptables
@ -1,25 +0,0 @@
-# Generated by iptables-save v1.4.5 on Mon May 31 14:15:17 2010
-*nat
-:PREROUTING ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/16 -d 224.0.0.0/8 -j ACCEPT 
-A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE 
-COMMIT
-# Completed on Mon May 31 14:15:17 2010
-# Generated by iptables-save v1.4.5 on Mon May 31 14:15:17 2010
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -d 10.0.0.0/16 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 10.0.0.0/16 -i br0 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-COMMIT
-# Completed on Mon May 31 14:15:17 2010
--- a/netvm/iptables
+++ b/netvm/iptables
@ -1,22 +0,0 @@
-# Generated by iptables-save v1.4.5 on Fri Jun  4 07:17:12 2010
-*nat
-:PREROUTING ACCEPT [8:818]
-:POSTROUTING ACCEPT [1:84]
-:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o br+ -j ACCEPT
-A POSTROUTING -j MASQUERADE
-COMMIT
-# Completed on Fri Jun  4 07:17:12 2010
-# Generated by iptables-save v1.4.5 on Fri Jun  4 07:17:12 2010
-*filter
-:INPUT ACCEPT [168:4704]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -i br+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-COMMIT
-# Completed on Fri Jun  4 07:17:12 2010
--- a/rpm_spec/core-dom0.spec
+++ b/rpm_spec/core-dom0.spec
@ -102,7 +102,7 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes
 mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
-cp init.d/iptables $RPM_BUILD_ROOT/etc/sysconfig
+cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig

 mkdir -p $RPM_BUILD_ROOT/usr/lib64/pm-utils/sleep.d
 cp pm-utils/01qubes-sync-vms-clock $RPM_BUILD_ROOT/usr/lib64/pm-utils/sleep.d/
--- a/rpm_spec/core-netvm.spec
+++ b/rpm_spec/core-netvm.spec
@ -53,7 +53,7 @@ fi
 %install

 mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
-cp iptables $RPM_BUILD_ROOT/etc/sysconfig
+cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig
 mkdir -p $RPM_BUILD_ROOT/etc
 cp fstab $RPM_BUILD_ROOT/etc/fstab
 mkdir -p $RPM_BUILD_ROOT/etc/init.d