From dfd2ac1ff69d1d109dd996e3d7a964c46cb98944 Mon Sep 17 00:00:00 2001 From: lamuse Date: Fri, 20 Jan 2017 14:38:20 +0100 Subject: [PATCH] create firewall rules for incoming traffic --- readme.lamuse | 9 +++++ .../qubes/modules/007FortressQubesProxyVm.py | 35 ++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 readme.lamuse diff --git a/readme.lamuse b/readme.lamuse new file mode 100644 index 0000000..27aea0e --- /dev/null +++ b/readme.lamuse @@ -0,0 +1,9 @@ +Great work, Rudd-O! + +changes to src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py: + +If the server VM gets firewall rules besides of "allow all", those rules were only honored for outgoing traffic in the original code. +My code also creates rules for incoming traffic in the proxy VM and the server VM. + +It may not be perfect, but it works for me. +My code is GPL, of course. diff --git a/src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py b/src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py index 1e541b5..46335da 100644 --- a/src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py +++ b/src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py @@ -102,7 +102,7 @@ class QubesProxyVm(OriginalQubesProxyVm): ruletext += "/{0}".format(rule["netmask"]) if rule["proto"] is not None and rule["proto"] != "any": - ruletext += " -p {0}".format(rule["proto"]) + ruletext += " -p {0}".format(rule["proto"]), fuer if rule["portBegin"] is not None and rule["portBegin"] > 0: ruletext += " --dport {0}".format(rule["portBegin"]) if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: @@ -113,6 +113,7 @@ class QubesProxyVm(OriginalQubesProxyVm): vm_iptables += "-A FORTRESS-INPUT " + ruletext continue + # outgoing connections for proxy-vm iptables += "-A PR-QBS-FORWARD -s {0} -d {1}".format(ip, rule["address"]) if rule["netmask"] != 32: iptables += "/{0}".format(rule["netmask"]) @@ -126,6 +127,38 @@ class QubesProxyVm(OriginalQubesProxyVm): iptables += " -j {0}\n".format(rules_action) + # incoming connections for proxy-vm + iptables += "-A PR-QBS-FORWARD -s {0}".format(rule["address"]) + if rule["netmask"] != 32: + iptables += "/{0}".format(rule["netmask"]) + iptables += " -d {0}".format(ip) + + if rule["proto"] is not None and rule["proto"] != "any": + iptables += " -p {0}".format(rule["proto"]) + if rule["portBegin"] is not None and rule["portBegin"] > 0: + iptables += " --dport {0}".format(rule["portBegin"]) + if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: + iptables += ":{0}".format(rule["portEnd"]) + + iptables += " -j {0}\n".format(rules_action) + + # incoming connections for server VM + vm_iptables += "-A FORTRESS-INPUT -s {0}".format(rule["address"]) + if rule["netmask"] != 32: + vm_iptables += "/{0}".format(rule["netmask"]) + vm_iptables += " -d {0}".format(ip) + + if rule["proto"] is not None and rule["proto"] != "any": + vm_iptables += " -p {0}".format(rule["proto"]) + if rule["portBegin"] is not None and rule["portBegin"] > 0: + vm_iptables += " --dport {0}".format(rule["portBegin"]) + if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: + vm_iptables += ":{0}".format(rule["portEnd"]) + + vm_iptables += " -j {0}\n".format(rules_action) + + vms_rulesets.append((vm, vm_iptables)) + if conf["allowDns"] and self.netvm is not None: # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. # properties