create firewall rules for incoming traffic

2025-06-06 18:08:33 +02:00 · 2017-01-20 14:38:20 +01:00 · 2017-01-20 14:38:20 +01:00 · dfd2ac1ff6
commit dfd2ac1ff6
parent 3847a37456
2 changed files with 43 additions and 1 deletions
--- a/readme.lamuse
+++ b/readme.lamuse
@ -0,0 +1,9 @@
+Great work, Rudd-O!
+
+changes to src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py:
+
+If the server VM gets firewall rules besides of "allow all", those rules were only honored for outgoing traffic in the original code.
+My code also creates rules for incoming traffic in the proxy VM and the server VM.
+
+It may not be perfect, but it works for me.
+My code is GPL, of course.
--- a/src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py
+++ b/src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py
@ -102,7 +102,7 @@ class QubesProxyVm(OriginalQubesProxyVm):
                        ruletext += "/{0}".format(rule["netmask"])

                    if rule["proto"] is not None and rule["proto"] != "any":
-                        ruletext += " -p {0}".format(rule["proto"])
+                        ruletext += " -p {0}".format(rule["proto"]), fuer 
                        if rule["portBegin"] is not None and rule["portBegin"] > 0:
                            ruletext += " --dport {0}".format(rule["portBegin"])
                            if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
@ -113,6 +113,7 @@ class QubesProxyVm(OriginalQubesProxyVm):
                    vm_iptables += "-A FORTRESS-INPUT " + ruletext
                    continue

+		# outgoing connections for proxy-vm
                iptables += "-A PR-QBS-FORWARD -s {0} -d {1}".format(ip, rule["address"])
                if rule["netmask"] != 32:
                    iptables += "/{0}".format(rule["netmask"])
@ -126,6 +127,38 @@ class QubesProxyVm(OriginalQubesProxyVm):

                iptables += " -j {0}\n".format(rules_action)

+		# incoming connections for proxy-vm
+                iptables += "-A PR-QBS-FORWARD -s {0}".format(rule["address"])
+                if rule["netmask"] != 32:
+                    iptables += "/{0}".format(rule["netmask"])
+                iptables += " -d {0}".format(ip)
+
+                if rule["proto"] is not None and rule["proto"] != "any":
+                    iptables += " -p {0}".format(rule["proto"])
+                    if rule["portBegin"] is not None and rule["portBegin"] > 0:
+                        iptables += " --dport {0}".format(rule["portBegin"])
+                        if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
+                            iptables += ":{0}".format(rule["portEnd"])
+
+                iptables += " -j {0}\n".format(rules_action)
+
+		# incoming connections for server VM
+                vm_iptables += "-A FORTRESS-INPUT -s {0}".format(rule["address"])
+                if rule["netmask"] != 32:
+                    vm_iptables += "/{0}".format(rule["netmask"])
+                vm_iptables += " -d {0}".format(ip)
+
+                if rule["proto"] is not None and rule["proto"] != "any":
+                    vm_iptables += " -p {0}".format(rule["proto"])
+                    if rule["portBegin"] is not None and rule["portBegin"] > 0:
+                        vm_iptables += " --dport {0}".format(rule["portBegin"])
+                        if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
+                            vm_iptables += ":{0}".format(rule["portEnd"])
+
+                vm_iptables += " -j {0}\n".format(rules_action)
+
+                vms_rulesets.append((vm, vm_iptables))
+
            if conf["allowDns"] and self.netvm is not None:
                # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
                # properties