gaschz/qubes-network-server
1
0
Fork 0
mirror of https://github.com/Rudd-O/qubes-network-server.git synced 2025-06-06 18:08:33 +02:00
Code Issues Packages Projects Releases Wiki Activity
qubes-network-server/plugin/007FortressQubesProxyVm.py
Jean-Philippe Ouellet f07f98474f
Properly handle from-0.0.0.0/0 for whole internet 
For rules like this:
    [user@dom0 ~]$ qvm-static-ip -g net-testing static_ip
    192.168.1.123
    [user@dom0 ~]$ qvm-firewall -l net-testing
    Firewall policy: DENY all traffic except
    ICMP: ALLOW
    DNS: ALLOW
    Qubes yum proxy: DENY
    -----+---------------------+-------+---------+
     num |       address       | proto | port(s) |
    -----+---------------------+-------+---------+
      1  | from-0.0.0.0/0      | tcp   | http    |
      2  | from-0.0.0.0/0      | tcp   | https   |
      3  | 192.30.252.0/22     | tcp   | https   |
      4  | from-192.168.1.0/24 | tcp   | ssh     |

The following rules are observed before & after this patch (only
differing rules shown):

sys-firewall qubesdb-read /qubes-iptables-domainrules/${domid} before:
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0 -d 192.168.1.123/24 -p tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123 -p tcp --dport 22 -j ACCEPT

sys-firewall iptables-save before:
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

net-testing iptables-save before:
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

sys-net: No changes.

Note that this also fixes an issue where the netmask in from- rules was
being applied to -d instead of -s.
2017-03-15 05:48:46 -04:00

194 lines
8.5 KiB
Python
Raw Blame History

#!/usr/bin/python2
# -*- coding: utf-8 -*-
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Joanna Rutkowska <joanna@invisiblethingslab.com>
# Copyright (C) 2013 Marek Marczykowski <marmarek@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
from datetime import datetime
import sys
import libvirt
import pipes
from qubes.qubes import QubesProxyVm as OriginalQubesProxyVm
from qubes.qubes import register_qubes_vm_class,vmm,dry_run
from qubes.qubes import defaults,system_path,vm_files
from qubes.qubes import QubesVmCollection,QubesException
yum_proxy_ip = '10.137.255.254'
yum_proxy_port = '8082'
class QubesProxyVm(OriginalQubesProxyVm):
def write_iptables_qubesdb_entry(self):
self.qdb.rm("/qubes-iptables-domainrules/")
iptables = "# Generated by Qubes Core on {0}\n".format(datetime.now().ctime())
iptables += "*filter\n"
iptables += ":INPUT DROP [0:0]\n"
iptables += ":FORWARD DROP [0:0]\n"
iptables += ":OUTPUT ACCEPT [0:0]\n"
iptables += ":PR-QBS-FORWARD - [0:0]\n"
# Strict INPUT rules
iptables += "-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n"
iptables += "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED " \
"-j ACCEPT\n"
iptables += "-A INPUT -p icmp -j ACCEPT\n"
iptables += "-A INPUT -i lo -j ACCEPT\n"
iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"
iptables += "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED " \
"-j ACCEPT\n"
# Allow dom0 networking
iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n"
# Engage in firewalling for VMs
iptables += "-A FORWARD -j PR-QBS-FORWARD\n"
# Deny inter-VMs networking
iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n"
iptables += "COMMIT\n"
self.qdb.write("/qubes-iptables-header", iptables)
vms = [vm for vm in self.connected_vms.values()]
vms_rulesets = []
for vm in vms:
vm_iptables = ""
iptables="*filter\n"
conf = vm.get_firewall_conf()
xid = vm.get_xid()
if xid < 0: # VM not active ATM
continue
ip = vm.ip
if ip is None:
continue
# Anti-spoof rules are added by vif-script (vif-route-qubes), here we trust IP address
accept_action = "ACCEPT"
reject_action = "REJECT --reject-with icmp-host-prohibited"
if conf["allow"]:
default_action = accept_action
rules_action = reject_action
else:
default_action = reject_action
rules_action = accept_action
for rule in conf["rules"]:
is_inbound = rule["address"].startswith("from-") and getattr(vm, "static_ip", None)
if is_inbound:
src_addr = rule["address"][len("from-"):]
src_mask = rule["netmask"]
dst_addr = ip
dst_mask = 32
else:
src_addr = ip
src_mask = 32
dst_addr = rule["address"]
dst_mask = rule["netmask"]
args = []
def constrain(sd, addr, mask):
if mask != 0:
if mask == 32:
args.append("{0} {1}".format(sd, addr))
else:
args.append("{0} {1}/{2}".format(sd, addr, mask))
constrain("-s", src_addr, src_mask)
constrain("-d", dst_addr, dst_mask)
if rule["proto"] is not None and rule["proto"] != "any":
args.append("-p {0}".format(rule["proto"]))
if rule["portBegin"] is not None and rule["portBegin"] > 0:
if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
portrange = "{0}:{1}".format(rule["portBegin"], rule["portEnd"])
else:
portrange = rule["portBegin"]
args.append("--dport {0}".format(portrange))
args.append("-j {0}".format(rules_action))
ruletext = ' '.join(args)
iptables += "-A PR-QBS-FORWARD {0}\n".format(ruletext)
if is_inbound:
vm_iptables += "-A FORTRESS-INPUT {0}\n".format(ruletext)
if conf["allowDns"] and self.netvm is not None:
# PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
# properties
iptables += "-A PR-QBS-FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.gateway)
iptables += "-A PR-QBS-FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.secondary_dns)
iptables += "-A PR-QBS-FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.gateway)
iptables += "-A PR-QBS-FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.secondary_dns)
if conf["allowIcmp"]:
iptables += "-A PR-QBS-FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
if getattr(vm, "static_ip", None):
iptables += "-A PR-QBS-FORWARD -d {0} -p icmp -j ACCEPT\n".format(ip)
vm_iptables += "-A FORTRESS-INPUT -d {0} -p icmp -j ACCEPT\n".format(ip)
if conf["allowYumProxy"]:
iptables += "-A PR-QBS-FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
else:
iptables += "-A PR-QBS-FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)
iptables += "-A PR-QBS-FORWARD -s {0} -j {1}\n".format(ip, default_action)
if getattr(vm, "static_ip", None):
iptables += "-A PR-QBS-FORWARD -d {0} -j {1}\n".format(ip, default_action)
vm_iptables += "-A FORTRESS-INPUT -d {0} -j {1}\n".format(ip, default_action)
vm_iptables += "COMMIT\n"
vms_rulesets.append((vm, vm_iptables))
iptables += "COMMIT\n"
self.qdb.write("/qubes-iptables-domainrules/"+str(xid), iptables)
# no need for ending -A PR-QBS-FORWARD -j DROP, cause default action is DROP
self.write_netvm_domid_entry()
self.rules_applied = None
self.qdb.write("/qubes-iptables", 'reload')
for vm, ruleset in vms_rulesets:
shell_ruleset = "echo Adjusting firewall rules to: >&2\n"
shell_ruleset += "echo %s >&2\n" % pipes.quote(ruleset.strip())
shell_ruleset += "data=$(iptables-save -t filter)\n"
shell_ruleset += 'if ! echo "$data" | grep -q -- "^:FORTRESS-INPUT" ; then\n'
shell_ruleset += ' data=$(echo "$data" | sed "s/^:INPUT/:FORTRESS-INPUT - [0:0]\\n\\0/")\n'
shell_ruleset += "fi\n"
shell_ruleset += 'if ! echo "$data" | grep -q -- "-A INPUT -j FORTRESS-INPUT" ; then\n'
shell_ruleset += ' data=$(echo "$data" | sed -r "s|-A INPUT -i vif. -j REJECT --reject-with icmp-host-prohibited|-A INPUT -j FORTRESS-INPUT\\n\\0|")\n'
shell_ruleset += "fi\n"
shell_ruleset += 'data=$(echo "$data" | grep -v ^COMMIT$)\n'
shell_ruleset += 'data=$(echo "$data" | grep -v -- "-A FORTRESS-INPUT")\n'
shell_ruleset += 'data="$data\n"%s\n' % pipes.quote(ruleset)
shell_ruleset += 'echo "$data" | iptables-restore -T filter\n'
vm.adjust_own_firewall_rules(shell_ruleset)
register_qubes_vm_class(QubesProxyVm)
Reference in New Issue View Git Blame Copy Permalink