Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Unify dom0 and netvm sysconfig/iptables

Browse Source 
Plus:
- dedicated chain for DNAT to nameservers
- prevent intervm networking. Can be conveniently overriden in necessary cases
by inserting ACCEPT clauses (per VM, probably) at the top of FORWARD
This commit is contained in:
Rafal Wojtczuk 2010-09-06 15:10:01 +02:00
parent 02276c2157
commit c0f47663c8
4 changed files with 31 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
common/iptables Normal file
View File

@ -0,0 +1,27 @@
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
*nat
:PREROUTING ACCEPT [85:5912]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PR-QBS - [0:0]
-A PREROUTING -j PR-QBS
-A POSTROUTING -o vif+ -j ACCEPT
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Sep 6 08:57:46 2010
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
*filter
:INPUT ACCEPT [168:11399]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [128:12536]
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i vif+ -o vif+ -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Mon Sep 6 08:57:46 2010

6
common/qubes_setup_dnat_to_ns
View File

@ -3,16 +3,16 @@ addrule()
{ {
if [ $FIRSTONE = yes ] ; then if [ $FIRSTONE = yes ] ; then
FIRSTONE=no FIRSTONE=no
RULE1="-A PREROUTING -d $NS1 -p udp --dport 53 -j DNAT --to $1" RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1"
else else
RULE2="-A PREROUTING -d $NS2 -p udp --dport 53 -j DNAT --to $1" RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1"
NS=$NS2 NS=$NS2
fi fi
} }
export PATH=$PATH:/sbin:/bin export PATH=$PATH:/sbin:/bin
source /var/run/qubes/qubes_ns source /var/run/qubes/qubes_ns
if [ "X"$NS1 = "X" ] ; then exit ; fi if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PREROUTING iptables -t nat -F PR-QBS
FIRSTONE=yes FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | head -2 | grep ^nameserver /etc/resolv.conf | head -2 |
( (

22
netvm/iptables
View File

@ -1,22 +0,0 @@
# Generated by iptables-save v1.4.5 on Fri Jun 4 07:17:12 2010
*nat
:PREROUTING ACCEPT [8:818]
:POSTROUTING ACCEPT [1:84]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o br+ -j ACCEPT
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Fri Jun 4 07:17:12 2010
# Generated by iptables-save v1.4.5 on Fri Jun 4 07:17:12 2010
*filter
:INPUT ACCEPT [168:4704]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -i br+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Fri Jun 4 07:17:12 2010

2
rpm_spec/core-netvm.spec
View File

@ -53,7 +53,7 @@ fi
%install %install
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
cp iptables $RPM_BUILD_ROOT/etc/sysconfig cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig
mkdir -p $RPM_BUILD_ROOT/etc mkdir -p $RPM_BUILD_ROOT/etc
cp fstab $RPM_BUILD_ROOT/etc/fstab cp fstab $RPM_BUILD_ROOT/etc/fstab
mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/etc/init.d