gaschz/qubes-network-server
1
0
Fork 0
mirror of https://github.com/Rudd-O/qubes-network-server.git synced 2025-06-06 18:08:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

create firewall rules for incoming traffic

Browse Source
This commit is contained in:
lamuse 2017-01-20 14:38:20 +01:00
parent 3847a37456
commit dfd2ac1ff6
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
readme.lamuse Normal file
View File

@ -0,0 +1,9 @@
Great work, Rudd-O!
changes to src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py:
If the server VM gets firewall rules besides of "allow all", those rules were only honored for outgoing traffic in the original code.
My code also creates rules for incoming traffic in the proxy VM and the server VM.
It may not be perfect, but it works for me.
My code is GPL, of course.

35
src/usr/lib64/python2.7/site-packages/qubes/modules/007FortressQubesProxyVm.py
View File

@ -102,7 +102,7 @@ class QubesProxyVm(OriginalQubesProxyVm):
ruletext += "/{0}".format(rule["netmask"]) ruletext += "/{0}".format(rule["netmask"])
if rule["proto"] is not None and rule["proto"] != "any": if rule["proto"] is not None and rule["proto"] != "any":
ruletext += " -p {0}".format(rule["proto"]) ruletext += " -p {0}".format(rule["proto"]), fuer
if rule["portBegin"] is not None and rule["portBegin"] > 0: if rule["portBegin"] is not None and rule["portBegin"] > 0:
ruletext += " --dport {0}".format(rule["portBegin"]) ruletext += " --dport {0}".format(rule["portBegin"])
if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
@ -113,6 +113,7 @@ class QubesProxyVm(OriginalQubesProxyVm):
vm_iptables += "-A FORTRESS-INPUT " + ruletext vm_iptables += "-A FORTRESS-INPUT " + ruletext
continue continue
# outgoing connections for proxy-vm
iptables += "-A PR-QBS-FORWARD -s {0} -d {1}".format(ip, rule["address"]) iptables += "-A PR-QBS-FORWARD -s {0} -d {1}".format(ip, rule["address"])
if rule["netmask"] != 32: if rule["netmask"] != 32:
iptables += "/{0}".format(rule["netmask"]) iptables += "/{0}".format(rule["netmask"])
@ -126,6 +127,38 @@ class QubesProxyVm(OriginalQubesProxyVm):
iptables += " -j {0}\n".format(rules_action) iptables += " -j {0}\n".format(rules_action)
# incoming connections for proxy-vm
iptables += "-A PR-QBS-FORWARD -s {0}".format(rule["address"])
if rule["netmask"] != 32:
iptables += "/{0}".format(rule["netmask"])
iptables += " -d {0}".format(ip)
if rule["proto"] is not None and rule["proto"] != "any":
iptables += " -p {0}".format(rule["proto"])
if rule["portBegin"] is not None and rule["portBegin"] > 0:
iptables += " --dport {0}".format(rule["portBegin"])
if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
iptables += ":{0}".format(rule["portEnd"])
iptables += " -j {0}\n".format(rules_action)
# incoming connections for server VM
vm_iptables += "-A FORTRESS-INPUT -s {0}".format(rule["address"])
if rule["netmask"] != 32:
vm_iptables += "/{0}".format(rule["netmask"])
vm_iptables += " -d {0}".format(ip)
if rule["proto"] is not None and rule["proto"] != "any":
vm_iptables += " -p {0}".format(rule["proto"])
if rule["portBegin"] is not None and rule["portBegin"] > 0:
vm_iptables += " --dport {0}".format(rule["portBegin"])
if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
vm_iptables += ":{0}".format(rule["portEnd"])
vm_iptables += " -j {0}\n".format(rules_action)
vms_rulesets.append((vm, vm_iptables))
if conf["allowDns"] and self.netvm is not None: if conf["allowDns"] and self.netvm is not None:
# PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
# properties # properties