63d8065e4f
Packets detected as INVALID are ignored by NAT, so if they are not dropped, packets with internal source IPs can leak to the outside network. See: https://bugzilla.netfilter.org/show_bug.cgi?id=693 http://www.smythies.com/~doug/network/iptables_notes/ Fixes QubesOS/qubes-issues#5596.
44 lines
1.2 KiB
Plaintext
44 lines
1.2 KiB
Plaintext
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
|
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
:PR-QBS - [0:0]
|
|
:PR-QBS-SERVICES - [0:0]
|
|
-A PREROUTING -j PR-QBS
|
|
-A PREROUTING -j PR-QBS-SERVICES
|
|
-A POSTROUTING -o vif+ -j ACCEPT
|
|
-A POSTROUTING -o lo -j ACCEPT
|
|
-A POSTROUTING -j MASQUERADE
|
|
COMMIT
|
|
*raw
|
|
:QBS-PREROUTING - [0:0]
|
|
-A PREROUTING -j QBS-PREROUTING
|
|
COMMIT
|
|
*mangle
|
|
:QBS-POSTROUTING - [0:0]
|
|
-A POSTROUTING -j QBS-POSTROUTING
|
|
COMMIT
|
|
# Completed on Mon Sep 6 08:57:46 2010
|
|
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:QBS-FORWARD - [0:0]
|
|
-A INPUT -m state --state INVALID -j DROP
|
|
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -i vif+ -p icmp -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited
|
|
-A INPUT -j DROP
|
|
-A FORWARD -m state --state INVALID -j DROP
|
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -j QBS-FORWARD
|
|
-A FORWARD -i vif+ -o vif+ -j DROP
|
|
-A FORWARD -i vif+ -j ACCEPT
|
|
-A FORWARD -j DROP
|
|
COMMIT
|
|
# Completed on Mon Sep 6 08:57:46 2010
|