Sākums Izpētīt Palīdzība
Pierakstīties
Qubes
/
core-agent-linux
2
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

network: properly handle DNS addresses in vif-qubes-nat.sh

Core3 no longer reuse netvm own IP for primary DNS. At the same time,
disable dropping traffic to netvm itself because it breaks DNS (as one
of blocked things). This allows VM to learn real netvm IP, but:
 - this mechanism is not intended to avoid detection from already
 compromised VM, only about unintentional leaks
 - this can be prevented using vif-qubes-nat.sh on the netvm itself (so
 it will also have hidden its own IP)

QubesOS/qubes-issues#1143
Marek Marczykowski-Górecki 7 gadi atpakaļ
vecāks
c75b6519c5
revīzija
c8213ea55a
2 mainītis faili ar 8 papildinājumiem un 1 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 7 1
      network/vif-qubes-nat.sh
  2. 1 0
      network/vif-route-qubes

+ 7 - 1
network/vif-qubes-nat.sh
Parādīt failu 

@@ -2,7 +2,7 @@
 
 #set -x
 
 
 netvm_subnet=/24
 
-undetectable_netvm_ips=1
 
+undetectable_netvm_ips=
 
 
 netns="${vif}-nat"
 
 netvm_if="${vif}"
 
@@ -65,6 +65,7 @@ if test "$command" == online; then
 
 
         # same for the gateway/DNS IPs
 
         netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
 
+        netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns1_ip" -j DROP
 
         netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
 
     fi
 
 
@@ -74,6 +75,11 @@ if test "$command" == online; then
 
     netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
 
     netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
 
 
+    if test -n "$appvm_dns1_ip"; then
 
+        netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns1_ip" -j DNAT --to-destination "$netvm_dns1_ip"
 
+        netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns1_ip" -j SNAT --to-source "$appvm_dns1_ip"
 
+    fi
 
+
 
     if test -n "$appvm_dns2_ip"; then
 
         netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
 
         netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"

+ 1 - 0
network/vif-route-qubes
Parādīt failu 

@@ -30,6 +30,7 @@ if [ "${ip}" ]; then
 
     # IPs as seen by this VM
 
     netvm_ip="$ip"
 
     netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
 
+    netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
 
     netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
 
 
     back_ip="$netvm_gw_ip"