From d4e80e79842f99e4fb7b2197664d917f6772c162 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 6 Apr 2011 10:32:20 +0200 Subject: [PATCH] Deny inter-VM traffic in ProxyVM --- dom0/qvm-core/qubes.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 3ac19b80..9cb438d2 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1392,8 +1392,11 @@ class QubesProxyVm(QubesNetVm): iptables += "-A INPUT -i lo -j ACCEPT\n" iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n" + iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n" # Allow dom0 networking iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n" + # Deny inter-VMs networking + iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n" vms = [vm for vm in self.connected_vms.values()] for vm in vms: @@ -1441,7 +1444,6 @@ class QubesProxyVm(QubesNetVm): iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action) iptables += "#End of VM rules\n" - iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n" iptables += "-A FORWARD -j DROP\n" iptables += "COMMIT"