Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

firewall: drop INVALID state TCP packets

Browse Source 
Packets detected as INVALID are ignored by NAT, so if they are not
dropped, packets with internal source IPs can leak to the outside
network.

See:

https://bugzilla.netfilter.org/show_bug.cgi?id=693
http://www.smythies.com/~doug/network/iptables_notes/

Fixes QubesOS/qubes-issues#5596.
This commit is contained in:
Pawel Marczewski 2020-01-24 10:02:28 +01:00
parent 3c1de3b4f4
commit 63d8065e4f
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
network/ip6tables-enabled
View File

@ -23,6 +23,7 @@ COMMIT
:FORWARD DROP [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:QBS-FORWARD - [0:0] :QBS-FORWARD - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP -A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
@ -31,6 +32,7 @@ COMMIT
-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited -A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p icmpv6 -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT
-A INPUT -j DROP -A INPUT -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j QBS-FORWARD -A FORWARD -j QBS-FORWARD
-A FORWARD -i vif+ -o vif+ -j DROP -A FORWARD -i vif+ -o vif+ -j DROP

2
network/iptables
View File

@ -26,12 +26,14 @@ COMMIT
:FORWARD DROP [0:0] :FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:QBS-FORWARD - [0:0] :QBS-FORWARD - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP -A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i vif+ -p icmp -j ACCEPT -A INPUT -i vif+ -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited -A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP -A INPUT -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j QBS-FORWARD -A FORWARD -j QBS-FORWARD
-A FORWARD -i vif+ -o vif+ -j DROP -A FORWARD -i vif+ -o vif+ -j DROP