From f0de081faf2a2f7cab982791e10230dc71c6306a Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 15:02:30 +0200 Subject: [PATCH 1/4] proxyvm: allow for user defined hooks after iptables restore --- proxyvm/bin/qubes_firewall | 3 +++ 1 file changed, 3 insertions(+) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 13f5ba24..17761b2e 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -35,4 +35,7 @@ while true; do # If OK save it for later /sbin/service iptables save >/dev/null fi + + # Check if user didn't define some custom rules to be applied as well... + [ -x /rw/config/qubes_firewall_user_script ] && /rw/config/qubes_firewall_user_script done From 203b55ee0aedd0e7d6852c38ebb144f97fe66fff Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 15:49:49 +0200 Subject: [PATCH 2/4] vm: allow user-define hook for IP change event This is especially useful for proxy VMs that e.g. run some transparent proxy service such as tor, and need to rebind it upon IP change (of course this assumes iptables-based transparent redirection such as DNAT). --- common/setup_ip | 1 + 1 file changed, 1 insertion(+) diff --git a/common/setup_ip b/common/setup_ip index ad42cf46..43d14395 100755 --- a/common/setup_ip +++ b/common/setup_ip @@ -19,6 +19,7 @@ if [ x$ip != x ]; then echo "NS1=$gateway" > /var/run/qubes/qubes_ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns /usr/lib/qubes/qubes_setup_dnat_to_ns + [ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook fi fi From 9d380bdd0d3fa49c0737585fbb4e03f902bbf678 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 18:04:38 +0200 Subject: [PATCH 3/4] proxyvm: remove unused code --- proxyvm/bin/qubes_firewall | 4 ---- 1 file changed, 4 deletions(-) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 17761b2e..6c7fe398 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -31,10 +31,6 @@ while true; do if [ "$OUT" ]; then DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : fi - if [[ -z "$OUT" ]]; then - # If OK save it for later - /sbin/service iptables save >/dev/null - fi # Check if user didn't define some custom rules to be applied as well... [ -x /rw/config/qubes_firewall_user_script ] && /rw/config/qubes_firewall_user_script From c8f6f2e9fed010199cf660f58c201b3424de4ed6 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 18:47:08 +0200 Subject: [PATCH 4/4] vm: disable forwarding when iptables rules are being (re)applied --- proxyvm/bin/qubes_firewall | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 6c7fe398..5a60a07c 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -13,11 +13,20 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM while true; do + + echo "1" > /proc/sys/net/ipv4/ip_forward + # Wait for changes in xenstore file /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) if ! [ "$TRIGGER" = "reload" ]; then continue ; fi + + # Disable forarding to prevent potential "leaks" that might + # be bypassing the firewall or some proxy service (e.g. tor) + # during the time when the rules are being (re)applied + echo "0" > /proc/sys/net/ipv4/ip_forward + RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`