Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

firewall: drop INVALID state TCP packets

Browse Source 
Packets detected as INVALID are ignored by NAT, so if they are not
dropped, packets with internal source IPs can leak to the outside
network.

See:

https://bugzilla.netfilter.org/show_bug.cgi?id=693
http://www.smythies.com/~doug/network/iptables_notes/

Fixes QubesOS/qubes-issues#5596.
This commit is contained in:
Pawel Marczewski 2020-01-24 10:02:28 +01:00
parent 3c1de3b4f4
commit 63d8065e4f
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
network/ip6tables-enabled
View File

@ -23,6 +23,7 @@ COMMIT
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:QBS-FORWARD - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
@ -31,6 +32,7 @@ COMMIT
-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p icmpv6 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j QBS-FORWARD
-A FORWARD -i vif+ -o vif+ -j DROP

2
network/iptables
View File

@ -26,12 +26,14 @@ COMMIT
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:QBS-FORWARD - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i vif+ -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j QBS-FORWARD
-A FORWARD -i vif+ -o vif+ -j DROP