Unify dom0 and netvm sysconfig/iptables

Plus: - dedicated chain for DNAT to nameservers - prevent intervm networking. Can be conveniently overriden in necessary cases by inserting ACCEPT clauses (per VM, probably) at the top of FORWARD
2010-09-06 15:10:01 +02:00 · 2010-09-06 15:10:01 +02:00 · c0f47663c8
commit c0f47663c8
parent 02276c2157
4 changed files with 31 additions and 26 deletions
--- a/common/iptables
+++ b/common/iptables
@ -0,0 +1,27 @@
+# Generated by iptables-save v1.4.5 on Mon Sep  6 08:57:46 2010
+*nat
+:PREROUTING ACCEPT [85:5912]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PR-QBS - [0:0]
+-A PREROUTING -j PR-QBS
+-A POSTROUTING -o vif+ -j ACCEPT
+-A POSTROUTING -j MASQUERADE
+COMMIT
+# Completed on Mon Sep  6 08:57:46 2010
+# Generated by iptables-save v1.4.5 on Mon Sep  6 08:57:46 2010
+*filter
+:INPUT ACCEPT [168:11399]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [128:12536]
+-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -i vif+ -o vif+ -j DROP
+-A FORWARD -i vif+ -j ACCEPT
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -j DROP
+COMMIT
+# Completed on Mon Sep  6 08:57:46 2010
--- a/common/qubes_setup_dnat_to_ns
+++ b/common/qubes_setup_dnat_to_ns
@ -3,16 +3,16 @@ addrule()
 {
        if [ $FIRSTONE = yes ] ; then
                FIRSTONE=no
-                RULE1="-A PREROUTING -d $NS1 -p udp --dport 53 -j DNAT --to $1"
+                RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1"
        else
-                RULE2="-A PREROUTING -d $NS2 -p udp --dport 53 -j DNAT --to $1"
+                RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1"
                NS=$NS2
        fi
 }
 export PATH=$PATH:/sbin:/bin
 source /var/run/qubes/qubes_ns
 if [ "X"$NS1 = "X" ] ; then exit ; fi
-iptables -t nat -F PREROUTING
+iptables -t nat -F PR-QBS
 FIRSTONE=yes
 grep ^nameserver /etc/resolv.conf | head -2 |
        (
--- a/netvm/iptables
+++ b/netvm/iptables
@ -1,22 +0,0 @@
-# Generated by iptables-save v1.4.5 on Fri Jun  4 07:17:12 2010
-*nat
-:PREROUTING ACCEPT [8:818]
-:POSTROUTING ACCEPT [1:84]
-:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o br+ -j ACCEPT
-A POSTROUTING -j MASQUERADE
-COMMIT
-# Completed on Fri Jun  4 07:17:12 2010
-# Generated by iptables-save v1.4.5 on Fri Jun  4 07:17:12 2010
-*filter
-:INPUT ACCEPT [168:4704]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -i br+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-COMMIT
-# Completed on Fri Jun  4 07:17:12 2010
--- a/rpm_spec/core-netvm.spec
+++ b/rpm_spec/core-netvm.spec
@ -53,7 +53,7 @@ fi
 %install

 mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
-cp iptables $RPM_BUILD_ROOT/etc/sysconfig
+cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig
 mkdir -p $RPM_BUILD_ROOT/etc
 cp fstab $RPM_BUILD_ROOT/etc/fstab
 mkdir -p $RPM_BUILD_ROOT/etc/init.d