Home Explore Help
Sign In
Qubes
/
core-agent-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

network: IPv6-enabled firewall

If IPv6 is configured in the VM, and it is providing network to others,
apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing
traffix), instead of blocking everything. Also, enable IP forwarding for
IPv6 in such a case.

Fixes QubesOS/qubes-issues#718
Marek Marczykowski-Górecki 6 years ago
parent
44f8cceb38
commit
715693b93d
6 changed files with 48 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      Makefile
  2. 1 0
      debian/qubes-core-agent-networking.install
  3. 31 0
      network/ip6tables-enabled
  4. 9 0
      network/qubes-iptables
  5. 1 0
      rpm_spec/core-agent.spec
  6. 5 0
      vm-systemd/network-proxy-setup.sh

+ 1 - 0
Makefile
View File 

@@ -345,6 +345,7 @@ endif
 
 
 	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
 
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
 
+	install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules
 
 
 	install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy

+ 1 - 0
debian/qubes-core-agent-networking.install
View File 

@@ -1,6 +1,7 @@
 
 etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 
 etc/qubes-rpc/qubes.UpdatesProxy
 
 etc/qubes/ip6tables.rules
 
+etc/qubes/ip6tables-enabled.rules
 
 etc/qubes/iptables.rules
 
 etc/tinyproxy/tinyproxy-updates.conf
 
 etc/tinyproxy/updates-blacklist

+ 31 - 0
network/ip6tables-enabled
View File 

@@ -0,0 +1,31 @@
 
+*nat
 
+:PREROUTING ACCEPT [0:0]
 
+:OUTPUT ACCEPT [0:0]
 
+:POSTROUTING ACCEPT [0:0]
 
+:PR-QBS - [0:0]
 
+:PR-QBS-SERVICES - [0:0]
 
+-A PREROUTING -j PR-QBS
 
+-A PREROUTING -j PR-QBS-SERVICES
 
+-A POSTROUTING -o vif+ -j ACCEPT
 
+-A POSTROUTING -o lo -j ACCEPT
 
+-A POSTROUTING -j MASQUERADE
 
+COMMIT
 
+*filter
 
+:INPUT DROP [0:0]
 
+:FORWARD DROP [0:0]
 
+:OUTPUT ACCEPT [0:0]
 
+:QBS-FORWARD - [0:0]
 
+-A INPUT -i lo -j ACCEPT
 
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
+-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
 
+-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
 
+-A INPUT -i vif+ -p icmpv6 -j ACCEPT
 
+-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
 
+-A INPUT -p icmpv6 -j ACCEPT
 
+-A INPUT -j DROP
 
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
+-A FORWARD -j QBS-FORWARD
 
+-A FORWARD -i vif+ -o vif+ -j DROP
 
+-A FORWARD -i vif+ -j ACCEPT
 
+-A FORWARD -j DROP
 
+COMMIT

+ 9 - 0
network/qubes-iptables
View File 

@@ -29,6 +29,15 @@ fi
 
 start() {
 
     ipt=$1
 
     IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
 
+    ipv6_enabled=
 
+    if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \
 
+        qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then
 
+        ipv6_enabled=true
 
+    fi
 
+    # if IPv6 is enabled, load alternative rules file
 
+    if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then
 
+        IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules
 
+    fi
 
     CMD=$ipt
 
     # Do not start if there is no config file.
 
     [ ! -f "$IPTABLES_DATA" ] && return 6

+ 1 - 0
rpm_spec/core-agent.spec
View File 

@@ -682,6 +682,7 @@ rm -f %{name}-%{version}
 
 %files networking
 
 %config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy
 
 %config(noreplace) /etc/qubes/ip6tables.rules
 
+%config(noreplace) /etc/qubes/ip6tables-enabled.rules
 
 %config(noreplace) /etc/qubes/iptables.rules
 
 %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
 
 %config(noreplace) /etc/tinyproxy/updates-blacklist

+ 5 - 0
vm-systemd/network-proxy-setup.sh
View File 

@@ -11,6 +11,7 @@ if [ "x$network" != "x" ]; then
 
     fi
 
 
     gateway=$(qubesdb-read /qubes-netvm-gateway)
 
+    gateway6=$(qubesdb-read /qubes-netvm-gateway6 ||:)
 
     #netmask=$(qubesdb-read /qubes-netvm-netmask)
 
     primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
 
     secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
 
@@ -19,5 +20,9 @@ if [ "x$network" != "x" ]; then
 
     echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
 
     /usr/lib/qubes/qubes-setup-dnat-to-ns
 
     echo "1" > /proc/sys/net/ipv4/ip_forward
 
+    # enable also IPv6 forwarding, if IPv6 is enabled
 
+    if [ -n "$gateway6" ]; then
 
+        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
+    fi
 
     /sbin/ethtool -K eth0 sg off || true
 
 fi