network: IPv6-enabled firewall

If IPv6 is configured in the VM, and it is providing network to others,
apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing
traffix), instead of blocking everything. Also, enable IP forwarding for
IPv6 in such a case.

Fixes QubesOS/qubes-issues#718
This commit is contained in:
Marek Marczykowski-Górecki 2017-12-03 03:30:53 +01:00
parent 44f8cceb38
commit 715693b93d
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
6 changed files with 48 additions and 0 deletions

View File

@ -345,6 +345,7 @@ endif
install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules
install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy

View File

@ -1,6 +1,7 @@
etc/dhclient.d/qubes-setup-dnat-to-ns.sh etc/dhclient.d/qubes-setup-dnat-to-ns.sh
etc/qubes-rpc/qubes.UpdatesProxy etc/qubes-rpc/qubes.UpdatesProxy
etc/qubes/ip6tables.rules etc/qubes/ip6tables.rules
etc/qubes/ip6tables-enabled.rules
etc/qubes/iptables.rules etc/qubes/iptables.rules
etc/tinyproxy/tinyproxy-updates.conf etc/tinyproxy/tinyproxy-updates.conf
etc/tinyproxy/updates-blacklist etc/tinyproxy/updates-blacklist

31
network/ip6tables-enabled Normal file
View File

@ -0,0 +1,31 @@
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PR-QBS - [0:0]
:PR-QBS-SERVICES - [0:0]
-A PREROUTING -j PR-QBS
-A PREROUTING -j PR-QBS-SERVICES
-A POSTROUTING -o vif+ -j ACCEPT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:QBS-FORWARD - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
-A INPUT -i vif+ -p icmpv6 -j ACCEPT
-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p icmpv6 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j QBS-FORWARD
-A FORWARD -i vif+ -o vif+ -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -j DROP
COMMIT

View File

@ -29,6 +29,15 @@ fi
start() { start() {
ipt=$1 ipt=$1
IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
ipv6_enabled=
if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \
qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then
ipv6_enabled=true
fi
# if IPv6 is enabled, load alternative rules file
if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then
IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules
fi
CMD=$ipt CMD=$ipt
# Do not start if there is no config file. # Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6 [ ! -f "$IPTABLES_DATA" ] && return 6

View File

@ -682,6 +682,7 @@ rm -f %{name}-%{version}
%files networking %files networking
%config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy %config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy
%config(noreplace) /etc/qubes/ip6tables.rules %config(noreplace) /etc/qubes/ip6tables.rules
%config(noreplace) /etc/qubes/ip6tables-enabled.rules
%config(noreplace) /etc/qubes/iptables.rules %config(noreplace) /etc/qubes/iptables.rules
%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
%config(noreplace) /etc/tinyproxy/updates-blacklist %config(noreplace) /etc/tinyproxy/updates-blacklist

View File

@ -11,6 +11,7 @@ if [ "x$network" != "x" ]; then
fi fi
gateway=$(qubesdb-read /qubes-netvm-gateway) gateway=$(qubesdb-read /qubes-netvm-gateway)
gateway6=$(qubesdb-read /qubes-netvm-gateway6 ||:)
#netmask=$(qubesdb-read /qubes-netvm-netmask) #netmask=$(qubesdb-read /qubes-netvm-netmask)
primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway") primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns) secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
@ -19,5 +20,9 @@ if [ "x$network" != "x" ]; then
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
/usr/lib/qubes/qubes-setup-dnat-to-ns /usr/lib/qubes/qubes-setup-dnat-to-ns
echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_forward
# enable also IPv6 forwarding, if IPv6 is enabled
if [ -n "$gateway6" ]; then
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
fi
/sbin/ethtool -K eth0 sg off || true /sbin/ethtool -K eth0 sg off || true
fi fi