Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update rule priorities for anti-spoofing

Browse Source
This commit is contained in:
Pawel Marczewski 2020-01-10 09:19:32 +01:00
parent c1d8d7bce1
commit cd19073d50
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
4 changed files with 19 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
network/ip6tables
View File

@ -1,8 +1,10 @@
# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012 # Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
*mangle *raw
:QBS-PREROUTING - [0:0] :QBS-PREROUTING - [0:0]
:QBS-POSTROUTING - [0:0]
-A PREROUTING -j QBS-PREROUTING -A PREROUTING -j QBS-PREROUTING
COMMIT
*mangle
:QBS-POSTROUTING - [0:0
-A POSTROUTING -j QBS-POSTROUTING -A POSTROUTING -j QBS-POSTROUTING
COMMIT COMMIT
*filter *filter

6
network/ip6tables-enabled
View File

@ -10,10 +10,12 @@
-A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE -A POSTROUTING -j MASQUERADE
COMMIT COMMIT
*mangle *raw
:QBS-PREROUTING - [0:0] :QBS-PREROUTING - [0:0]
:QBS-POSTROUTING - [0:0
-A PREROUTING -j QBS-PREROUTING -A PREROUTING -j QBS-PREROUTING
COMMIT
*mangle
:QBS-POSTROUTING - [0:0]
-A POSTROUTING -j QBS-POSTROUTING -A POSTROUTING -j QBS-POSTROUTING
COMMIT COMMIT
*filter *filter

6
network/iptables
View File

@ -11,10 +11,12 @@
-A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE -A POSTROUTING -j MASQUERADE
COMMIT COMMIT
*mangle *raw
:QBS-PREROUTING - [0:0] :QBS-PREROUTING - [0:0]
:QBS-POSTROUTING - [0:0
-A PREROUTING -j QBS-PREROUTING -A PREROUTING -j QBS-PREROUTING
COMMIT
*mangle
:QBS-POSTROUTING - [0:0]
-A POSTROUTING -j QBS-POSTROUTING -A POSTROUTING -j QBS-POSTROUTING
COMMIT COMMIT
# Completed on Mon Sep 6 08:57:46 2010 # Completed on Mon Sep 6 08:57:46 2010

14
qubesagent/firewall.py
View File

@ -411,12 +411,12 @@ class IptablesWorker(FirewallWorker):
self.apply_rules_family(source, rules, 4) self.apply_rules_family(source, rules, 4)
def update_connected_ips(self, family): def update_connected_ips(self, family):
self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-PREROUTING']) self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
for ip in self.get_connected_ips(family): for ip in self.get_connected_ips(family):
self.run_ipt(family, [ self.run_ipt(family, [
'-t', 'mangle', '-A', 'QBS-PREROUTING', '-t', 'raw', '-A', 'QBS-PREROUTING',
'!', '-i', 'vif+', '-s', ip, '-j', 'DROP']) '!', '-i', 'vif+', '-s', ip, '-j', 'DROP'])
self.run_ipt(family, [ self.run_ipt(family, [
'-t', 'mangle', '-A', 'QBS-POSTROUTING', '-t', 'mangle', '-A', 'QBS-POSTROUTING',
@ -431,14 +431,14 @@ class IptablesWorker(FirewallWorker):
self.run_ipt(4, self.run_ipt(4,
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN']) ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP']) self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-PREROUTING']) self.run_ipt(4, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
self.run_ipt(6, ['-F', 'QBS-FORWARD']) self.run_ipt(6, ['-F', 'QBS-FORWARD'])
self.run_ipt(6, self.run_ipt(6,
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN']) ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP']) self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-PREROUTING']) self.run_ipt(6, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
except subprocess.CalledProcessError: except subprocess.CalledProcessError:
self.log_error( self.log_error(
@ -451,7 +451,7 @@ class IptablesWorker(FirewallWorker):
def cleanup(self): def cleanup(self):
for family in (4, 6): for family in (4, 6):
self.run_ipt(family, ['-F', 'QBS-FORWARD']) self.run_ipt(family, ['-F', 'QBS-FORWARD'])
self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-PREROUTING']) self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
for chain in self.chains[family]: for chain in self.chains[family]:
self.run_ipt(family, ['-F', chain]) self.run_ipt(family, ['-F', chain])
@ -682,11 +682,11 @@ class NftablesWorker(FirewallWorker):
' meta iifname != "vif*" accept\n' ' meta iifname != "vif*" accept\n'
' }}\n' ' }}\n'
' chain prerouting {{\n' ' chain prerouting {{\n'
' type filter hook prerouting priority 0;\n' ' type filter hook prerouting priority -300;\n'
' policy accept;\n' ' policy accept;\n'
' }}\n' ' }}\n'
' chain postrouting {{\n' ' chain postrouting {{\n'
' type filter hook postrouting priority 0;\n' ' type filter hook postrouting priority -300;\n'
' policy accept;\n' ' policy accept;\n'
' }}\n' ' }}\n'
'}}\n' '}}\n'