On Tue, May 31, 2016 at 06:27:14PM -0700, Drew White wrote: > Hi folks, > > I'm trying to get my ProxyVM to work properly the way I want it to, but the > firewall is not cooperating and I feel there is either something I am doing > wrong, OR something in Qubes initial configuration causing an issue, but I > can't find what is wrong. > > Any good help would be greatly appreciated. > > Thanks in advance! > > The result I'm looking for is to block everything outgoing from vif+ to any > ip range OTHER than what I specify. > > The hashed out are ones that I tried, but they failed. > In the end I brought it back to the first one, the base simplicity, but > even that still doesn't work (and I didn't think it would really, but I > tried it anyway). > > iptables -i $eth -s 1.2.3.0/24 -j ACCEPT > iptables -o $eth -d 1.2.3.0/24 -j ACCEPT > iptables -o $eth -j DROP > iptables -i $eth -j DROP > > #iptables -I PREROUTING 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state > NEW -p tcp -m tcp -j ACCEPT > #iptables -I PREROUTING 1 -i vif+ -o $eth -d 1.2.3.024 -p udp -m udp -j > ACCEPT > #iptables -I PREROUTING 3 -i vif+ -m state --state NEW -p tcp -m tcp -j DROP > #iptables -I PREROUTING 3 -i vif+ -p udp -m udp -j DROP > # > #iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW > -p tcp -m tcp -j ACCEPT > #iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -p udp -m udp -j ACCEPT > #iptables -I FORWARD 3 -i vif+ -j DROP > # > #iptables -I INPUT 1 -i vif+ -d 1.2.3.0/24 -m state --state NEW -p tcp -m > tcp -j ACCEPT > #iptables -I INPUT 1 -i vif+ -d 1.2.3.0/24 -p udp -m udp -j ACCEPT > #iptables -I INPUT 3 -i vif+ -j DROP > # > #iptables -I OUTPUT 1 -o $eth -d 1.2.3.0/24 -m state --state NEW -p tcp -m > tcp -j ACCEPT > #iptables -I OUTPUT 1 -o $eth -d 1.2.3.0/24 -p udp -m udp -j ACCEPT > #iptables -I OUTPUT 3 -o $eth -j DROP >
Oh Drew, Geek is confirmed. If you want to control traffic from the vif+ interfaces, you need the FORWARD chain. The default rules allow RELATED,ESTABLISHED traffic both ways in FORWARD chain, and drop all traffic between vifs - you know this already. What you want (assuming $eth is defined) is: iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW -j ACCEPT iptables -I FORWARD 3 -i vif+ -o $eth -j DROP This is because the ESTABLISHED rule is by default #1, you insert 1 before, and then I3 to insert the DROP rule after. You were almost there but got the count wrong. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160602011213.GA15000%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
