network: properly handle DNS addresses in vif-qubes-nat.sh

Core3 no longer reuse netvm own IP for primary DNS. At the same time,
disable dropping traffic to netvm itself because it breaks DNS (as one
of blocked things). This allows VM to learn real netvm IP, but:
 - this mechanism is not intended to avoid detection from already
 compromised VM, only about unintentional leaks
 - this can be prevented using vif-qubes-nat.sh on the netvm itself (so
 it will also have hidden its own IP)

QubesOS/qubes-issues#1143
This commit is contained in:
Marek Marczykowski-Górecki 2016-11-01 00:14:46 +01:00
parent c75b6519c5
commit c8213ea55a
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
2 changed files with 8 additions and 1 deletions

View File

@ -2,7 +2,7 @@
#set -x #set -x
netvm_subnet=/24 netvm_subnet=/24
undetectable_netvm_ips=1 undetectable_netvm_ips=
netns="${vif}-nat" netns="${vif}-nat"
netvm_if="${vif}" netvm_if="${vif}"
@ -65,6 +65,7 @@ if test "$command" == online; then
# same for the gateway/DNS IPs # same for the gateway/DNS IPs
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns1_ip" -j DROP
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
fi fi
@ -74,6 +75,11 @@ if test "$command" == online; then
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip" netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip" netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
if test -n "$appvm_dns1_ip"; then
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns1_ip" -j DNAT --to-destination "$netvm_dns1_ip"
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns1_ip" -j SNAT --to-source "$appvm_dns1_ip"
fi
if test -n "$appvm_dns2_ip"; then if test -n "$appvm_dns2_ip"; then
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip" netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip" netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"

View File

@ -30,6 +30,7 @@ if [ "${ip}" ]; then
# IPs as seen by this VM # IPs as seen by this VM
netvm_ip="$ip" netvm_ip="$ip"
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway` netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns` netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
back_ip="$netvm_gw_ip" back_ip="$netvm_gw_ip"