forked from tasket/qubes-tunnel
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathtunnel-restrict-firewall
executable file
·80 lines (64 loc) · 2.58 KB
/
tunnel-restrict-firewall
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/sh
########################################################################
##
## tunnel-restrict-firewall
## Configure Qubes firewall for use with a tunnel such as OpenVPN.
##
## Note: For customization, add rules to a filename in firewall.d
## other than '90_tunnel-restrict'.
correct_ips() {
# Correct the 10.137.x.x nameserver IPs in FORWARD chain (Qubes 3.x)
. /var/run/qubes/qubes-ns
nspath=/var/run/qubes/qubes-tunnel-ns
if [ -f $nspath ]; then
iptables-save -t filter >/tmp/qtunnel-fw-filter
read vpn_dns <$nspath ; nsend=1
q_addr=""
for DNS in $vpn_dns; do
sed -i -r 's/(-A FORWARD.+-d )10\.137\.[0-9]+\.'$nsend'(.+dport 53 -j ACCEPT)$/\1'$DNS'\2/' \
/tmp/qtunnel-fw-filter
nsend=254
# workaround for Qubes 3.x:
iptables -t nat -I PR-QBS $q_addr -i vif+ -p tcp --dport 53 -j DNAT --to $DNS
iptables -t nat -I PR-QBS $q_addr -i vif+ -p udp --dport 53 -j DNAT --to $DNS
q_addr="-d $NS1"
done
iptables-restore -T filter </tmp/qtunnel-fw-filter
fi
}
# Set firewall restriction policy
# Stop all leaks between downstream (vif+) and upstream (Internet eth0):
iptables -P FORWARD DROP
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -P FORWARD DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
# Block INPUT from tunnel(s):
iptables -P INPUT DROP
iptables -I INPUT -i tun+ -j DROP
ip6tables -P INPUT DROP
ip6tables -I INPUT -i tun+ -j DROP
# Allow established v6 traffic (v4 rule already present):
#iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Fix DNS IPs if QBS-FORWARD not present (Qubes ver < 4)
iptables -L QBS-FORWARD || correct_ips
# Disable icmp packets
#if iptables -C INPUT -p icmp -j ACCEPT
#then iptables -D INPUT -p icmp -j ACCEPT
#fi
###-------------------------------------------------------------------###
# This section executed only if a qubes-tunnel* service is active:
if ! ls /var/run/qubes-service/qubes-tunnel* 1> /dev/null 2>&1; then
exit 0
fi
# Prevent accidental communications from within VPN VM to net;
# The gid-owner rule requires net programs be run with group ID 'qtunnel'
# to allow outbound traffic.
iptables -P OUTPUT DROP
iptables -I OUTPUT -o lo -j ACCEPT
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qtunnel -j ACCEPT
ip6tables -P OUTPUT DROP
ip6tables -I OUTPUT -o lo -j ACCEPT
ip6tables -I OUTPUT -p all -o eth0 -m owner --gid-owner qtunnel -j ACCEPT