On Thursday, 2 June 2016 11:12:14 UTC+10, Unman wrote: > > Oh Drew, > Geek is confirmed. > > If you want to control traffic from the vif+ interfaces, you need the > FORWARD chain. > > The default rules allow RELATED,ESTABLISHED traffic both ways in FORWARD > chain, and drop all traffic between vifs - you know this already. > > What you want (assuming $eth is defined) is: > iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW > -j ACCEPT > iptables -I FORWARD 3 -i vif+ -o $eth -j DROP > > This is because the ESTABLISHED rule is by default #1, you insert 1 > before, and then I3 to insert the DROP rule after. > You were almost there but got the count wrong. > > unman >
Hi Unman, I tried it and I've found that it requires the extras. This is what I have that now works perfectly thanks. iptables -I FORWARD 1 -i vif+ -o $eth -d 1.2.3.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD 1 -o vif+ -i $eth -s 1.2.3.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD 3 -i vif+ -j DROP iptables -I FORWARD 3 -i $eth -j DROP IPTABLES now looks like this... ------------------------------------------------------------------------------------------- Chain INPUT (policy DROP) target prot opt source destination DROP udp -- anywhere anywhere udp dpt:bootpc ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 1.2.3.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 1.2.3.0/24 state NEW,RELATED,ESTABLISHED DROP all -- anywhere anywhere DROP all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere ACCEPT udp -- 10.137.2.2 gateway udp dpt:domain ACCEPT udp -- 10.137.2.2 10.137.2.254 udp dpt:domain ACCEPT tcp -- 10.137.2.2 gateway tcp dpt:domain ACCEPT tcp -- 10.137.2.2 10.137.2.254 tcp dpt:domain ACCEPT icmp -- 10.137.2.2 anywhere DROP tcp -- 10.137.2.2 10.137.255.254 tcp dpt:us-cli ACCEPT all -- 10.137.2.2 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ------------------------------------------------------------------------------------------- After the 4th rule in FORWARD, I can just remove everything else can't I? Since it's now completely restricted from rule 1-4? Or do they still have some effect? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2b38cb9f-d48e-49cb-ade9-013cbf728abe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
