Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'ticket_42'

Browse Source
This commit is contained in:
Joanna Rutkowska 2010-06-11 17:02:42 +02:00
commit 8668dbe1d5
3 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
common/qubes_setup_dnat_to_ns
View File

@ -2,19 +2,23 @@
addrule()
{
if [ $FIRSTONE = yes ] ; then
NS=$NS1
FIRSTONE=no
RULE1="-A PREROUTING -d $NS1 -p udp --dport 53 -j DNAT --to $1"
else
RULE2="-A PREROUTING -d $NS2 -p udp --dport 53 -j DNAT --to $1"
NS=$NS2
fi
iptables -A PREROUTING -t nat -d $NS -p udp --dport 53 -j DNAT \
--to "$1"
}
export PATH=$PATH:/sbin:/bin
source /var/run/qubes_ns
if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PREROUTING
FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | head -2 | while read x y z ; do
addrule "$y"
done
grep ^nameserver /etc/resolv.conf | head -2 |
(
while read x y z ; do
addrule "$y"
done
(echo "*nat"; echo $RULE1; echo $RULE2; echo COMMIT) | iptables-restore -n
)

16
netvm/iptables
View File

@ -1,13 +1,15 @@
# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
# Generated by iptables-save v1.4.5 on Fri Jun 4 07:17:12 2010
*nat
:PREROUTING ACCEPT [2:362]
:POSTROUTING ACCEPT [4:228]
:PREROUTING ACCEPT [8:818]
:POSTROUTING ACCEPT [1:84]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o br+ -j ACCEPT
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Thu May 20 06:02:32 2010
# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
# Completed on Fri Jun 4 07:17:12 2010
# Generated by iptables-save v1.4.5 on Fri Jun 4 07:17:12 2010
*filter
:INPUT ACCEPT [3:84]
:INPUT ACCEPT [168:4704]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
@ -17,4 +19,4 @@ COMMIT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Thu May 20 06:02:32 2010
# Completed on Fri Jun 4 07:17:12 2010

3
netvm/qubes_core
View File

@ -35,8 +35,7 @@ start()
#now done by iptables rc script
# iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE
#no, we cannot put ip-dependent stuff in sysconfig/iptables
iptables -t nat -A POSTROUTING -s $network/$netmask -d 224.0.0.0/8 -j ACCEPT
iptables -t nat -A POSTROUTING -s $network/$netmask \! -d $network/$netmask -j MASQUERADE
#so make it ip-independent
success
echo ""
return 0