715693b93d
If IPv6 is configured in the VM, and it is providing network to others, apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing traffix), instead of blocking everything. Also, enable IP forwarding for IPv6 in such a case. Fixes QubesOS/qubes-issues#718
32 wiersze
903 B
Plaintext
32 wiersze
903 B
Plaintext
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
:PR-QBS - [0:0]
|
|
:PR-QBS-SERVICES - [0:0]
|
|
-A PREROUTING -j PR-QBS
|
|
-A PREROUTING -j PR-QBS-SERVICES
|
|
-A POSTROUTING -o vif+ -j ACCEPT
|
|
-A POSTROUTING -o lo -j ACCEPT
|
|
-A POSTROUTING -j MASQUERADE
|
|
COMMIT
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:QBS-FORWARD - [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
|
|
-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
|
|
-A INPUT -i vif+ -p icmpv6 -j ACCEPT
|
|
-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
|
|
-A INPUT -p icmpv6 -j ACCEPT
|
|
-A INPUT -j DROP
|
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -j QBS-FORWARD
|
|
-A FORWARD -i vif+ -o vif+ -j DROP
|
|
-A FORWARD -i vif+ -j ACCEPT
|
|
-A FORWARD -j DROP
|
|
COMMIT
|