Qubes/gsoc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

srchosts note

Browse Source
This commit is contained in:
Giulio 2021-06-22 12:04:31 +02:00
parent da33365f07
commit 052c780bfe
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Readme.md
View File

@ -134,6 +134,9 @@ Of course `expire=` and `comment=` are optional fields.
### Required rules ### Required rules
#### External
***srchost and srcports support yet to be written here ***
In `<networkvm>`: In `<networkvm>`:
``` ```
@ -150,6 +153,20 @@ iptables -I FORWARD 2 -i <interface> -d <appvm_ip> -p tcp --dport <target_port>
nft add rule ip qubes-firewall forward meta iifname <interface> ip daddr <appvm_ip> tcp dport <target_port> ct state new counter accept nft add rule ip qubes-firewall forward meta iifname <interface> ip daddr <appvm_ip> tcp dport <target_port> ct state new counter accept
``` ```
in `<appvm>`:
```
iptables -w -I INPUT 5 -d <appvm_ip> -p tcp --dport <target_port> -m conntrack --ctstate NEW -j ACCEPT
```
#### Internal
In `<firewallvm>`:
```
iptables -t nat -A PREROUTING -i <interface> -p tcp --dport <target_port> -d <firewallvm_ip> -j DNAT --to-destination <appvm_ip>
iptables -I FORWARD 2 -i <interface> -d <appvm_ip> -p tcp --dport <target_port> -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip qubes-firewall forward meta iifname <interface> ip daddr <appvm_ip> tcp dport <target_port> ct state new counter accept
```
in `<appvm>`: in `<appvm>`:
``` ```
iptables -w -I INPUT 5 -d <appvm_ip> -p tcp --dport <target_port> -m conntrack --ctstate NEW -j ACCEPT iptables -w -I INPUT 5 -d <appvm_ip> -p tcp --dport <target_port> -m conntrack --ctstate NEW -j ACCEPT