vm/iptables: block IPv6 traffic

This isn't properly handled by Qubes VMs yet, so block it in all the VMs. Also restrict access to firewall config.
2012-09-25 16:04:47 +02:00 · 2012-09-25 16:04:47 +02:00 · a90a21b8ff
commit a90a21b8ff
parent decf7ef648
2 changed files with 13 additions and 1 deletions
--- a/network/ip6tables
+++ b/network/ip6tables
@ -0,0 +1,8 @@
+# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
+*filter
+:INPUT DROP [1:72]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+COMMIT
+# Completed on Tue Sep 25 16:00:20 2012
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@ -139,7 +139,8 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes
 install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes
-install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
+install -m 0400 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
+install -m 0400 -D network/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables
 install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf
 install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum

@ -371,6 +372,7 @@ rm -rf $RPM_BUILD_ROOT
 /etc/qubes_rpc/qubes.SuspendPost
 /etc/sudoers.d/qubes
 /etc/sysconfig/iptables
+/etc/sysconfig/ip6tables
 /etc/sysconfig/modules/qubes_core.modules
 /etc/tinyproxy/filter-qubes-yum
 /etc/tinyproxy/tinyproxy-qubes-yum.conf
@ -489,6 +491,7 @@ chkconfig rsyslog on
 chkconfig haldaemon on
 chkconfig messagebus on
 chkconfig iptables on
+chkconfig ip6tables on
 chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!"
 chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!"
 chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!"
@ -610,6 +613,7 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service

 # Enable some services
 /bin/systemctl enable iptables.service 2> /dev/null
+/bin/systemctl enable ip6tables.service 2> /dev/null
 /bin/systemctl enable rsyslog.service 2> /dev/null
 /bin/systemctl enable ntpd.service 2> /dev/null
 # Disable original service to enable overriden one