63d8065e4f
Packets detected as INVALID are ignored by NAT, so if they are not dropped, packets with internal source IPs can leak to the outside network. See: https://bugzilla.netfilter.org/show_bug.cgi?id=693 http://www.smythies.com/~doug/network/iptables_notes/ Fixes QubesOS/qubes-issues#5596.
42 lines
1.1 KiB
Plaintext
42 lines
1.1 KiB
Plaintext
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
:PR-QBS - [0:0]
|
|
:PR-QBS-SERVICES - [0:0]
|
|
-A PREROUTING -j PR-QBS
|
|
-A PREROUTING -j PR-QBS-SERVICES
|
|
-A POSTROUTING -o vif+ -j ACCEPT
|
|
-A POSTROUTING -o lo -j ACCEPT
|
|
-A POSTROUTING -j MASQUERADE
|
|
COMMIT
|
|
*raw
|
|
:QBS-PREROUTING - [0:0]
|
|
-A PREROUTING -j QBS-PREROUTING
|
|
COMMIT
|
|
*mangle
|
|
:QBS-POSTROUTING - [0:0]
|
|
-A POSTROUTING -j QBS-POSTROUTING
|
|
COMMIT
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:QBS-FORWARD - [0:0]
|
|
-A INPUT -m state --state INVALID -j DROP
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
|
|
-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
|
|
-A INPUT -i vif+ -p icmpv6 -j ACCEPT
|
|
-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
|
|
-A INPUT -p icmpv6 -j ACCEPT
|
|
-A INPUT -j DROP
|
|
-A FORWARD -m state --state INVALID -j DROP
|
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -j QBS-FORWARD
|
|
-A FORWARD -i vif+ -o vif+ -j DROP
|
|
-A FORWARD -i vif+ -j ACCEPT
|
|
-A FORWARD -j DROP
|
|
COMMIT
|