c0f47663c8
Plus: - dedicated chain for DNAT to nameservers - prevent intervm networking. Can be conveniently overriden in necessary cases by inserting ACCEPT clauses (per VM, probably) at the top of FORWARD
25 lines
649 B
Bash
Executable File
25 lines
649 B
Bash
Executable File
#!/bin/sh
|
|
addrule()
|
|
{
|
|
if [ $FIRSTONE = yes ] ; then
|
|
FIRSTONE=no
|
|
RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1"
|
|
else
|
|
RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1"
|
|
NS=$NS2
|
|
fi
|
|
}
|
|
export PATH=$PATH:/sbin:/bin
|
|
source /var/run/qubes/qubes_ns
|
|
if [ "X"$NS1 = "X" ] ; then exit ; fi
|
|
iptables -t nat -F PR-QBS
|
|
FIRSTONE=yes
|
|
grep ^nameserver /etc/resolv.conf | head -2 |
|
|
(
|
|
while read x y z ; do
|
|
addrule "$y"
|
|
done
|
|
(echo "*nat"; echo $RULE1; echo $RULE2; echo COMMIT) | iptables-restore -n
|
|
)
|
|
|