From 63d8065e4f59c9e4c74c2c886da409ad95a16592 Mon Sep 17 00:00:00 2001 From: Pawel Marczewski Date: Fri, 24 Jan 2020 10:02:28 +0100 Subject: [PATCH] firewall: drop INVALID state TCP packets Packets detected as INVALID are ignored by NAT, so if they are not dropped, packets with internal source IPs can leak to the outside network. See: https://bugzilla.netfilter.org/show_bug.cgi?id=693 http://www.smythies.com/~doug/network/iptables_notes/ Fixes QubesOS/qubes-issues#5596. --- network/ip6tables-enabled | 2 ++ network/iptables | 2 ++ 2 files changed, 4 insertions(+) diff --git a/network/ip6tables-enabled b/network/ip6tables-enabled index 49d1464..fc5aec1 100644 --- a/network/ip6tables-enabled +++ b/network/ip6tables-enabled @@ -23,6 +23,7 @@ COMMIT :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :QBS-FORWARD - [0:0] +-A INPUT -m state --state INVALID -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP @@ -31,6 +32,7 @@ COMMIT -A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited -A INPUT -p icmpv6 -j ACCEPT -A INPUT -j DROP +-A FORWARD -m state --state INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j QBS-FORWARD -A FORWARD -i vif+ -o vif+ -j DROP diff --git a/network/iptables b/network/iptables index 377880d..9ef7431 100644 --- a/network/iptables +++ b/network/iptables @@ -26,12 +26,14 @@ COMMIT :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :QBS-FORWARD - [0:0] +-A INPUT -m state --state INVALID -j DROP -A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i vif+ -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited -A INPUT -j DROP +-A FORWARD -m state --state INVALID -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j QBS-FORWARD -A FORWARD -i vif+ -o vif+ -j DROP