Here's a revision of the firewall script:
---
########################################################################
##
## qubes-firewall-user-script for use with a VPN client such as openvpn.
##
##
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## Stop all leaks between downstream (AppVMs) and upstream (Internet):
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
## Prevent accidental communications from within VPN VM;
## The gid-owner rule requires the VPN client be run with group ID 'qvpn'
## to allow outbound traffic from the client. It can be replaced by
un-commenting
## the two --dport 1194 rules (if you are not using the group ID).
iptables -F OUTPUT
iptables -A OUTPUT -o lo -j ACCEPT
#iptables -A OUTPUT -p udp -o eth0 --dport 1194 -m state --state
NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -o eth0 --dport 1194 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -m state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -m state NEW,ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -m state NEW,ESTABLISHED -j
ACCEPT
## Block INPUT from downstream and the tunnel:
iptables -I INPUT -i vif+ -j DROP
iptables -I INPUT -i tun0 -j DROP
## Disable icmp packets (re-enable for testing and debugging):
if iptables -C INPUT -p icmp -j ACCEPT
then iptables -D INPUT -p icmp -j ACCEPT
fi
## Block all IPv6 traffic (generally unsupported in Qubes):
ip6tables -P OUTPUT DROP
ip6tables -F OUTPUT
ip6tables -P FORWARD DROP
ip6tables -F FORWARD
ip6tables -P INPUT DROP
ip6tables -F INPUT
---
Of course, this builds on the rules already set by Qubes 3.1 firewall.
Note: There are no hard-coded IPs and the OUTPUT controls VPN traffic by
group ID. So if your VPN provider has dozens of IPs randomly-assigned
via DNS or uses a client other than openvpn then no editing of the
firewall script should be necessary.
Group ID can be easily assigned to VPN client with /rw/config/rc.local
like this:
groupadd -r qvpn
sg qvpn -c 'openvpn --cd /rw/config/openvpn/ --config
openvpn-client.ovpn \
--daemon --writepid /var/run/openvpn/openvpn-client.pid'
...or you can add a "Group=qvpn" line to the Service section of your
systemd openvpn.service file.
Also, local traffic to and from tun0 and vif+ is disallowed, as well as
incoming icmp packets.
I'm going to follow-up with a suggested openvpn "up" script that will
take care of the dns-dnat rules in chain PR-QBS. The user can opt to
enter their vpn dns addresses or let dhcp supply them automatically.
I'll also resume testing for leaks using this configuration, including
the Whonix tests Patrick referenced.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/574CD4CE.3020609%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
