vm/iptables: block IPv6 traffic
This isn't properly handled by Qubes VMs yet, so block it in all the VMs. Also restrict access to firewall config.
This commit is contained in:
Marek Marczykowski
parent
3839c15655
commit
6345c4570a
8
network/ip6tables
Normal file
8
network/ip6tables
Normal file
@ -0,0 +1,8 @@
|
||||
# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
|
||||
*filter
|
||||
:INPUT DROP [1:72]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
COMMIT
|
||||
# Completed on Tue Sep 25 16:00:20 2012
|
||||
@ -139,7 +139,8 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes
|
||||
install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
|
||||
install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
|
||||
install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes
|
||||
install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
|
||||
install -m 0400 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
|
||||
install -m 0400 -D network/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables
|
||||
install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf
|
||||
install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum
|
||||
|
||||
@ -371,6 +372,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
/etc/qubes_rpc/qubes.SuspendPost
|
||||
/etc/sudoers.d/qubes
|
||||
/etc/sysconfig/iptables
|
||||
/etc/sysconfig/ip6tables
|
||||
/etc/sysconfig/modules/qubes_core.modules
|
||||
/etc/tinyproxy/filter-qubes-yum
|
||||
/etc/tinyproxy/tinyproxy-qubes-yum.conf
|
||||
@ -489,6 +491,7 @@ chkconfig rsyslog on
|
||||
chkconfig haldaemon on
|
||||
chkconfig messagebus on
|
||||
chkconfig iptables on
|
||||
chkconfig ip6tables on
|
||||
chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!"
|
||||
chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!"
|
||||
chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!"
|
||||
@ -610,6 +613,7 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
|
||||
|
||||
# Enable some services
|
||||
/bin/systemctl enable iptables.service 2> /dev/null
|
||||
/bin/systemctl enable ip6tables.service 2> /dev/null
|
||||
/bin/systemctl enable rsyslog.service 2> /dev/null
|
||||
/bin/systemctl enable ntpd.service 2> /dev/null
|
||||
# Disable original service to enable overriden one
|
||||
|
||||
Loading…
Reference in New Issue
Block a user