Hi,
Strangely appvms that are marked and not "Allow connections to updates proxy"
are still able to reach the tinyproxy, despite the iptables rules:
[root@sys-fw ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 217 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8082
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0
udp dpt:68
129 25433 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 264 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 208 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0
172.16.0.0/16
0 0 ACCEPT all -- * * 172.16.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
192.168.0.0/16
0 0 ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
16 1136 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- vif0.0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 10.137.2.9 10.137.1.1
udp dpt:53
0 0 ACCEPT udp -- * * 10.137.2.9
10.137.1.254 udp dpt:53
0 0 ACCEPT tcp -- * * 10.137.2.9 10.137.1.1
tcp dpt:53
0 0 ACCEPT tcp -- * * 10.137.2.9
10.137.1.254 tcp dpt:53
0 0 ACCEPT icmp -- * * 10.137.2.9 0.0.0.0/0
0 0 DROP tcp -- * * 10.137.2.9
10.137.255.254 tcp dpt:8082
0 0 ACCEPT all -- * * 10.137.2.9 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
111 13152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
3 264 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
25 1493 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
1 42 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0
udp dpt:1197
26 1646 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 5 LOG flags 0 level 4 prefix
"iptables_OUTPUT_denied: "
[user@untrusted ~]$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group
default qlen 1000
link/ether 00:16:3e:5e:6c:07 brd ff:ff:ff:ff:ff:ff
inet 10.137.2.9/32 brd 10.255.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe5e:6c07/64 scope link
valid_lft forever preferred_lft forever
So the untrusted appvm (10.137.2.9) is able to reach the tiny proxy
(10.137.255.254) on port 8082, despite the drop rule on the FORWARD chain on
the sys-fw :
" 0 0 DROP tcp -- * * 10.137.2.9
10.137.255.254 tcp dpt:8082"
[user@untrusted ~]$ telnet 10.137.255.254 8082
Trying 10.137.255.254...
Connected to 10.137.255.254.
Escape character is '^]'.
I confess I'm a bit baffle by this, the only thing I'm using on the sys-fw but
that doesn't explain why the iptables rule is being ignored.
Does anyone knows why is this happening?
Thank you
----
Sent using Guerrillamail.com
Block or report abuse:
https://www.guerrillamail.com//abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/23b15c2e7e35e8075af3226b4e0fdafe7a43%40guerrillamail.com.
For more options, visit https://groups.google.com/d/optout.
