Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

network: properly handle DNS addresses in vif-qubes-nat.sh

Browse Source 
Core3 no longer reuse netvm own IP for primary DNS. At the same time,
disable dropping traffic to netvm itself because it breaks DNS (as one
of blocked things). This allows VM to learn real netvm IP, but:
 - this mechanism is not intended to avoid detection from already
 compromised VM, only about unintentional leaks
 - this can be prevented using vif-qubes-nat.sh on the netvm itself (so
 it will also have hidden its own IP)

QubesOS/qubes-issues#1143
This commit is contained in:
Marek Marczykowski-Górecki 2016-11-01 00:14:46 +01:00
parent c75b6519c5
commit c8213ea55a
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
network/vif-qubes-nat.sh
View File

@ -2,7 +2,7 @@
#set -x
netvm_subnet=/24
undetectable_netvm_ips=1
undetectable_netvm_ips=
netns="${vif}-nat"
netvm_if="${vif}"
@ -65,6 +65,7 @@ if test "$command" == online; then
# same for the gateway/DNS IPs
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns1_ip" -j DROP
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
fi
@ -74,6 +75,11 @@ if test "$command" == online; then
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
if test -n "$appvm_dns1_ip"; then
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns1_ip" -j DNAT --to-destination "$netvm_dns1_ip"
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns1_ip" -j SNAT --to-source "$appvm_dns1_ip"
fi
if test -n "$appvm_dns2_ip"; then
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"

1
network/vif-route-qubes
View File

@ -30,6 +30,7 @@ if [ "${ip}" ]; then
# IPs as seen by this VM
netvm_ip="$ip"
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
back_ip="$netvm_gw_ip"