952d2f1d8e
qubes_setup_dnat_to_ns script sets up DNAT rules for DNS traffic; it is triggered by dhclient or NetworkManager, and manually (in case there is a static resolv.conf). Put IP-dependent rules in qubes-core, after local ip is known. It could be further improved by introducing custom chains, to enable iptables save. Restrict FORWARD.
21 lines
608 B
Plaintext
21 lines
608 B
Plaintext
# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
|
|
*nat
|
|
:PREROUTING ACCEPT [2:362]
|
|
:POSTROUTING ACCEPT [4:228]
|
|
:OUTPUT ACCEPT [0:0]
|
|
COMMIT
|
|
# Completed on Thu May 20 06:02:32 2010
|
|
# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
|
|
*filter
|
|
:INPUT ACCEPT [3:84]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
|
|
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
|
|
-A FORWARD -i vif+ -j ACCEPT
|
|
-A FORWARD -i br+ -j ACCEPT
|
|
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -j DROP
|
|
COMMIT
|
|
# Completed on Thu May 20 06:02:32 2010
|