Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

proxyvm: use "conntrack" iptables module instead of deprecated "state"

Browse Source
This commit is contained in:
Marek Marczykowski-Górecki 2014-03-27 17:15:59 +01:00
parent 04f86c7059
commit d1fbd9c59d
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core-modules/006QubesProxyVm.py
View File

@ -126,12 +126,14 @@ class QubesProxyVm(QubesNetVm):
# Strict INPUT rules
iptables += "-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n"
iptables += "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
iptables += "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED " \
"-j ACCEPT\n"
iptables += "-A INPUT -p icmp -j ACCEPT\n"
iptables += "-A INPUT -i lo -j ACCEPT\n"
iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"
iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
iptables += "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED " \
"-j ACCEPT\n"
# Allow dom0 networking
iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n"
# Deny inter-VMs networking