715693b93d
If IPv6 is configured in the VM, and it is providing network to others, apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing traffix), instead of blocking everything. Also, enable IP forwarding for IPv6 in such a case. Fixes QubesOS/qubes-issues#718
32 lines
903 B
Plaintext
32 lines
903 B
Plaintext
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
:PR-QBS - [0:0]
|
|
:PR-QBS-SERVICES - [0:0]
|
|
-A PREROUTING -j PR-QBS
|
|
-A PREROUTING -j PR-QBS-SERVICES
|
|
-A POSTROUTING -o vif+ -j ACCEPT
|
|
-A POSTROUTING -o lo -j ACCEPT
|
|
-A POSTROUTING -j MASQUERADE
|
|
COMMIT
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:QBS-FORWARD - [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
|
|
-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
|
|
-A INPUT -i vif+ -p icmpv6 -j ACCEPT
|
|
-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
|
|
-A INPUT -p icmpv6 -j ACCEPT
|
|
-A INPUT -j DROP
|
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -j QBS-FORWARD
|
|
-A FORWARD -i vif+ -o vif+ -j DROP
|
|
-A FORWARD -i vif+ -j ACCEPT
|
|
-A FORWARD -j DROP
|
|
COMMIT
|