From cd19073d50f2f59d502f1a95896a3d6940e0d68f Mon Sep 17 00:00:00 2001 From: Pawel Marczewski Date: Fri, 10 Jan 2020 09:19:32 +0100 Subject: [PATCH] Update rule priorities for anti-spoofing --- network/ip6tables | 6 ++++-- network/ip6tables-enabled | 6 ++++-- network/iptables | 6 ++++-- qubesagent/firewall.py | 14 +++++++------- 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/network/ip6tables b/network/ip6tables index 9e153e6..ba52047 100644 --- a/network/ip6tables +++ b/network/ip6tables @@ -1,8 +1,10 @@ # Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012 -*mangle +*raw :QBS-PREROUTING - [0:0] -:QBS-POSTROUTING - [0:0] -A PREROUTING -j QBS-PREROUTING +COMMIT +*mangle +:QBS-POSTROUTING - [0:0 -A POSTROUTING -j QBS-POSTROUTING COMMIT *filter diff --git a/network/ip6tables-enabled b/network/ip6tables-enabled index ab6e74d..49d1464 100644 --- a/network/ip6tables-enabled +++ b/network/ip6tables-enabled @@ -10,10 +10,12 @@ -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -j MASQUERADE COMMIT -*mangle +*raw :QBS-PREROUTING - [0:0] -:QBS-POSTROUTING - [0:0 -A PREROUTING -j QBS-PREROUTING +COMMIT +*mangle +:QBS-POSTROUTING - [0:0] -A POSTROUTING -j QBS-POSTROUTING COMMIT *filter diff --git a/network/iptables b/network/iptables index 1790d7f..377880d 100644 --- a/network/iptables +++ b/network/iptables @@ -11,10 +11,12 @@ -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -j MASQUERADE COMMIT -*mangle +*raw :QBS-PREROUTING - [0:0] -:QBS-POSTROUTING - [0:0 -A PREROUTING -j QBS-PREROUTING +COMMIT +*mangle +:QBS-POSTROUTING - [0:0] -A POSTROUTING -j QBS-POSTROUTING COMMIT # Completed on Mon Sep 6 08:57:46 2010 diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py index 2adf6bd..8a6be4c 100755 --- a/qubesagent/firewall.py +++ b/qubesagent/firewall.py @@ -411,12 +411,12 @@ class IptablesWorker(FirewallWorker): self.apply_rules_family(source, rules, 4) def update_connected_ips(self, family): - self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-PREROUTING']) + self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING']) self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) for ip in self.get_connected_ips(family): self.run_ipt(family, [ - '-t', 'mangle', '-A', 'QBS-PREROUTING', + '-t', 'raw', '-A', 'QBS-PREROUTING', '!', '-i', 'vif+', '-s', ip, '-j', 'DROP']) self.run_ipt(family, [ '-t', 'mangle', '-A', 'QBS-POSTROUTING', @@ -431,14 +431,14 @@ class IptablesWorker(FirewallWorker): self.run_ipt(4, ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN']) self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP']) - self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-PREROUTING']) + self.run_ipt(4, ['-t', 'raw', '-F', 'QBS-PREROUTING']) self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) self.run_ipt(6, ['-F', 'QBS-FORWARD']) self.run_ipt(6, ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN']) self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP']) - self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-PREROUTING']) + self.run_ipt(6, ['-t', 'raw', '-F', 'QBS-PREROUTING']) self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) except subprocess.CalledProcessError: self.log_error( @@ -451,7 +451,7 @@ class IptablesWorker(FirewallWorker): def cleanup(self): for family in (4, 6): self.run_ipt(family, ['-F', 'QBS-FORWARD']) - self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-PREROUTING']) + self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING']) self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) for chain in self.chains[family]: self.run_ipt(family, ['-F', chain]) @@ -682,11 +682,11 @@ class NftablesWorker(FirewallWorker): ' meta iifname != "vif*" accept\n' ' }}\n' ' chain prerouting {{\n' - ' type filter hook prerouting priority 0;\n' + ' type filter hook prerouting priority -300;\n' ' policy accept;\n' ' }}\n' ' chain postrouting {{\n' - ' type filter hook postrouting priority 0;\n' + ' type filter hook postrouting priority -300;\n' ' policy accept;\n' ' }}\n' '}}\n'