Hi Unman, Happy to hear from someone that I knew has been able to assist in the past.
On Thursday, 2 June 2016 11:12:14 UTC+10, Unman wrote: > > Oh Drew, > Geek is confirmed. > Geek? GEEK?? I'm not just an ordinary geek my friend. I'm a super geek! :/ lol > If you want to control traffic from the vif+ interfaces, you need the > FORWARD chain. > I've got forwards for all my InterVM Network and my bridged virtuals and more. > The default rules allow RELATED,ESTABLISHED traffic both ways in FORWARD > chain, and drop all traffic between vifs - you know this already. > > What you want (assuming $eth is defined) is: > iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW > -j ACCEPT > iptables -I FORWARD 3 -i vif+ -o $eth -j DROP > > This is because the ESTABLISHED rule is by default #1, you insert 1 > before, and then I3 to insert the DROP rule after. > You were almost there but got the count wrong. > And yes, $eth is defined after discovery of identifiers. I recently had a huge issue with it when I transferred from Fedora to Debian.. ifconfig differences.. But I resolved it all, and it's all now working apart from this bit for traffic restrictions. Ahh, okay. I'll give it a shot and inform you of the results. So for the incoming connections, it's the same methodology, just switched source and destination around? And ... iptables -I FORWARD 3 -i vif+ -o $eth -j DROP Does it really need the interfaces specified if I have the ... ... iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW -j ACCEPT iptables -I FORWARD 1 -o vif+ -i $eth -s 1.2.3.0/24 -m state --state NEW -j ACCEPT can't it be ... ? iptables -I FORWARD 3 -j DROP -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/52d96fbe-0b79-4bf2-9250-748ccb0c745c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
