network: IPv6-enabled firewall
If IPv6 is configured in the VM, and it is providing network to others, apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing traffix), instead of blocking everything. Also, enable IP forwarding for IPv6 in such a case. Fixes QubesOS/qubes-issues#718
This commit is contained in:
parent
44f8cceb38
commit
715693b93d
1
Makefile
1
Makefile
@ -345,6 +345,7 @@ endif
|
|||||||
|
|
||||||
install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
|
install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
|
||||||
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
|
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
|
||||||
|
install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules
|
||||||
|
|
||||||
install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy
|
install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy
|
||||||
|
|
||||||
|
1
debian/qubes-core-agent-networking.install
vendored
1
debian/qubes-core-agent-networking.install
vendored
@ -1,6 +1,7 @@
|
|||||||
etc/dhclient.d/qubes-setup-dnat-to-ns.sh
|
etc/dhclient.d/qubes-setup-dnat-to-ns.sh
|
||||||
etc/qubes-rpc/qubes.UpdatesProxy
|
etc/qubes-rpc/qubes.UpdatesProxy
|
||||||
etc/qubes/ip6tables.rules
|
etc/qubes/ip6tables.rules
|
||||||
|
etc/qubes/ip6tables-enabled.rules
|
||||||
etc/qubes/iptables.rules
|
etc/qubes/iptables.rules
|
||||||
etc/tinyproxy/tinyproxy-updates.conf
|
etc/tinyproxy/tinyproxy-updates.conf
|
||||||
etc/tinyproxy/updates-blacklist
|
etc/tinyproxy/updates-blacklist
|
||||||
|
31
network/ip6tables-enabled
Normal file
31
network/ip6tables-enabled
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
*nat
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
:PR-QBS - [0:0]
|
||||||
|
:PR-QBS-SERVICES - [0:0]
|
||||||
|
-A PREROUTING -j PR-QBS
|
||||||
|
-A PREROUTING -j PR-QBS-SERVICES
|
||||||
|
-A POSTROUTING -o vif+ -j ACCEPT
|
||||||
|
-A POSTROUTING -o lo -j ACCEPT
|
||||||
|
-A POSTROUTING -j MASQUERADE
|
||||||
|
COMMIT
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:QBS-FORWARD - [0:0]
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
|
||||||
|
-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
|
||||||
|
-A INPUT -i vif+ -p icmpv6 -j ACCEPT
|
||||||
|
-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
|
||||||
|
-A INPUT -p icmpv6 -j ACCEPT
|
||||||
|
-A INPUT -j DROP
|
||||||
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A FORWARD -j QBS-FORWARD
|
||||||
|
-A FORWARD -i vif+ -o vif+ -j DROP
|
||||||
|
-A FORWARD -i vif+ -j ACCEPT
|
||||||
|
-A FORWARD -j DROP
|
||||||
|
COMMIT
|
@ -29,6 +29,15 @@ fi
|
|||||||
start() {
|
start() {
|
||||||
ipt=$1
|
ipt=$1
|
||||||
IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
|
IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
|
||||||
|
ipv6_enabled=
|
||||||
|
if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \
|
||||||
|
qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then
|
||||||
|
ipv6_enabled=true
|
||||||
|
fi
|
||||||
|
# if IPv6 is enabled, load alternative rules file
|
||||||
|
if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then
|
||||||
|
IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules
|
||||||
|
fi
|
||||||
CMD=$ipt
|
CMD=$ipt
|
||||||
# Do not start if there is no config file.
|
# Do not start if there is no config file.
|
||||||
[ ! -f "$IPTABLES_DATA" ] && return 6
|
[ ! -f "$IPTABLES_DATA" ] && return 6
|
||||||
|
@ -682,6 +682,7 @@ rm -f %{name}-%{version}
|
|||||||
%files networking
|
%files networking
|
||||||
%config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy
|
%config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy
|
||||||
%config(noreplace) /etc/qubes/ip6tables.rules
|
%config(noreplace) /etc/qubes/ip6tables.rules
|
||||||
|
%config(noreplace) /etc/qubes/ip6tables-enabled.rules
|
||||||
%config(noreplace) /etc/qubes/iptables.rules
|
%config(noreplace) /etc/qubes/iptables.rules
|
||||||
%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
|
%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
|
||||||
%config(noreplace) /etc/tinyproxy/updates-blacklist
|
%config(noreplace) /etc/tinyproxy/updates-blacklist
|
||||||
|
@ -11,6 +11,7 @@ if [ "x$network" != "x" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
gateway=$(qubesdb-read /qubes-netvm-gateway)
|
gateway=$(qubesdb-read /qubes-netvm-gateway)
|
||||||
|
gateway6=$(qubesdb-read /qubes-netvm-gateway6 ||:)
|
||||||
#netmask=$(qubesdb-read /qubes-netvm-netmask)
|
#netmask=$(qubesdb-read /qubes-netvm-netmask)
|
||||||
primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
|
primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
|
||||||
secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
|
secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
|
||||||
@ -19,5 +20,9 @@ if [ "x$network" != "x" ]; then
|
|||||||
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
||||||
/usr/lib/qubes/qubes-setup-dnat-to-ns
|
/usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||||
echo "1" > /proc/sys/net/ipv4/ip_forward
|
echo "1" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
# enable also IPv6 forwarding, if IPv6 is enabled
|
||||||
|
if [ -n "$gateway6" ]; then
|
||||||
|
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
|
||||||
|
fi
|
||||||
/sbin/ethtool -K eth0 sg off || true
|
/sbin/ethtool -K eth0 sg off || true
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user