2015-08-30 16:27:14 +02:00
|
|
|
#!/bin/bash
|
2017-09-30 03:17:14 +02:00
|
|
|
# shellcheck disable=SC2154
|
2015-08-30 16:27:14 +02:00
|
|
|
#set -x
|
|
|
|
|
2016-11-01 00:14:46 +01:00
|
|
|
undetectable_netvm_ips=
|
2015-08-30 16:27:14 +02:00
|
|
|
|
|
|
|
netns="${vif}-nat"
|
|
|
|
netvm_if="${vif}"
|
|
|
|
netns_netvm_if="${vif}-p"
|
|
|
|
netns_appvm_if="${vif}"
|
|
|
|
|
2016-10-29 22:28:57 +02:00
|
|
|
#
|
|
|
|
# .----------------------------------.
|
|
|
|
# | NetVM/ProxyVM |
|
|
|
|
# .------------.|.------------------. |
|
|
|
|
# | AppVM ||| $netns namespace | |
|
|
|
|
# | ||| | |
|
|
|
|
# | eth0<--------->$netns_appvm_if | |
|
|
|
|
# |$appvm_ip ||| $appvm_gw_ip | |
|
|
|
|
# |$appvm_gw_ip||| ^ | |
|
|
|
|
# '------------'|| |NAT | |
|
|
|
|
# || v | |
|
|
|
|
# || $netns_netvm_if<--->$netvm_if |
|
|
|
|
# || $netvm_ip | $netvm_gw_ip|
|
|
|
|
# |'------------------' |
|
|
|
|
# '----------------------------------'
|
|
|
|
#
|
|
|
|
|
2020-11-19 18:16:15 +01:00
|
|
|
readonly netvm_mac=fe:ff:ff:ff:ff:ff
|
2016-10-29 22:28:57 +02:00
|
|
|
|
2015-08-30 16:27:14 +02:00
|
|
|
function run
|
|
|
|
{
|
2016-10-29 14:45:36 +02:00
|
|
|
#echo "$@" >> /var/log/qubes-nat.log
|
|
|
|
"$@"
|
2015-08-30 16:27:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
function netns
|
|
|
|
{
|
2020-11-19 18:10:26 +01:00
|
|
|
if [[ "$1" = 'ip' ]]; then
|
|
|
|
shift
|
|
|
|
run ip -n "$netns" "$@"
|
|
|
|
else
|
|
|
|
run ip netns exec "$netns" "$@"
|
|
|
|
fi
|
2015-08-30 16:27:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
run ip addr flush dev "$netns_appvm_if"
|
|
|
|
run ip netns delete "$netns" || :
|
|
|
|
|
|
|
|
if test "$command" == online; then
|
2016-10-29 14:45:36 +02:00
|
|
|
run ip netns add "$netns"
|
|
|
|
run ip link set "$netns_appvm_if" netns "$netns"
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-31 00:55:59 +01:00
|
|
|
# keep the same MAC as the real vif interface, so NetworkManager will still
|
2020-11-19 18:04:02 +01:00
|
|
|
# ignore it.
|
|
|
|
# for the peer interface, make sure that it has the same MAC address
|
|
|
|
# as the actual VM, so that our neighbor entry works.
|
|
|
|
run ip link add name "$netns_netvm_if" address "$mac" type veth \
|
2020-11-19 18:16:15 +01:00
|
|
|
peer name "$netvm_if" address "$netvm_mac"
|
2020-11-19 18:04:02 +01:00
|
|
|
run ip link set dev "$netns_netvm_if" netns "$netns"
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
netns ip6tables -t raw -I PREROUTING -j DROP
|
|
|
|
netns ip6tables -P INPUT DROP
|
|
|
|
netns ip6tables -P FORWARD DROP
|
|
|
|
netns ip6tables -P OUTPUT DROP
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
netns sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" ! -s "$appvm_ip" -j DROP
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
if test -n "$undetectable_netvm_ips"; then
|
|
|
|
# prevent an AppVM connecting to its own ProxyVM IP because that makes the internal IPs detectable even with no firewall rules
|
|
|
|
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_ip" -j DROP
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
# same for the gateway/DNS IPs
|
|
|
|
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
|
2016-11-01 00:14:46 +01:00
|
|
|
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns1_ip" -j DROP
|
2016-10-29 14:45:36 +02:00
|
|
|
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
|
|
|
|
fi
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
netns iptables -t nat -I PREROUTING -i "$netns_netvm_if" -j DNAT --to-destination "$appvm_ip"
|
|
|
|
netns iptables -t nat -I POSTROUTING -o "$netns_netvm_if" -j SNAT --to-source "$netvm_ip"
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
|
|
|
|
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-11-01 00:14:46 +01:00
|
|
|
if test -n "$appvm_dns1_ip"; then
|
|
|
|
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns1_ip" -j DNAT --to-destination "$netvm_dns1_ip"
|
|
|
|
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns1_ip" -j SNAT --to-source "$appvm_dns1_ip"
|
|
|
|
fi
|
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
if test -n "$appvm_dns2_ip"; then
|
|
|
|
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
|
|
|
|
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"
|
|
|
|
fi
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2020-11-19 18:04:02 +01:00
|
|
|
netns ip neighbour add to "$appvm_ip" dev "$netns_appvm_if" lladdr "$mac" nud permanent
|
2020-11-19 18:16:15 +01:00
|
|
|
netns ip neighbour add to "$netvm_ip" dev "$netns_netvm_if" lladdr "$netvm_mac" nud permanent
|
2016-11-01 00:22:19 +01:00
|
|
|
netns ip addr add "$netvm_ip" dev "$netns_netvm_if"
|
2016-10-29 14:45:36 +02:00
|
|
|
netns ip addr add "$appvm_gw_ip" dev "$netns_appvm_if"
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
netns ip link set "$netns_netvm_if" up
|
|
|
|
netns ip link set "$netns_appvm_if" up
|
2015-08-30 16:27:14 +02:00
|
|
|
|
2016-10-29 14:45:36 +02:00
|
|
|
netns ip route add "$appvm_ip" dev "$netns_appvm_if" src "$appvm_gw_ip"
|
2016-11-01 00:22:19 +01:00
|
|
|
netns ip route add "$netvm_gw_ip" dev "$netns_netvm_if" src "$netvm_ip"
|
2016-10-29 14:45:36 +02:00
|
|
|
netns ip route add default via "$netvm_gw_ip" dev "$netns_netvm_if" src "$netvm_ip"
|
2015-08-30 16:27:14 +02:00
|
|
|
fi
|