Re: [qubes-users] Could use some help with my iptables configuration
> On 11/23/19 9:33 AM, swisspal...@firemail.cc wrote: >> Hello, >> I want to achieve the following: >> sys-net should only be accessible by sys-firewall and sys-firewall should >> only be accessible by sys-whonix. >> No AppVM should be able to connect to the internet if I set sys-net or >> sys-firewall as NetVM. Internet access should only be possible via >> sys-whonix. >> What I tried so far is: >> I flushed the INPUT chain on sys-net and applied these 2 commands >> sudo iptables -I INPUT -i vif5.0 -s 10.137.0.6 -j ACCEPT >> (10.137.0.6) is the IP of sys-firewall >> sudo iptables -I INPUT -i vif5.0 -j DROP >> This configuration already kind of works. If I create a new AppVM and >> connect it to sys-net then I can not even ping sys-net anymore. >> But then I noticed that another vif interface on sys-net came up as soon as >> I connected the new AppVM. This is confusing me as I'm afraid that that >> could lead to potential leaks in the future. >> I am unsure how I should proceed with the configuration of this setup. I >> don't know much about networking and especially because it is on Qubes it's >> a bit more difficult to be sure of how things work. >> I presume that I probably should make a specific NAT rule but I really have >> no clue. >> What I also don't understand is: >> - Are the IPs that are assigned to the VMs static or do they change over >> time? If they change, can I make them static? > > IIRC they're dynamic. > >> - Will the flushing of a chain in a fresh VM interfere with the >> functionality of the VM? I saw QBS-Forwarding rules and so on. I guess it's >> not a good idea to delete those. > > QBS-Forwarding will stomp over what you try to add there. Its managed by > Qubes. However, it exists in order to allow FORWARD to be user-managed. > > One way to do it might be to allow only one downstream vif in sys-firewall: > Add a general eth0 block on top of the FORWARD chain. Then, have a script > that waits for the first vif to appear; when it does, add FORWARD rule to > allow it, then exit the script. > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 The way I understood it is that the number of the interface vifX.Y is dynamic but the IP address gets assigned on AppVM creation (and stored in the VMs preferences - see qvm-prefs) so you can consider it static for the VMs lifetime. Therefor if you do sudo iptables -I INPUT -i vif* -s 10.137.0.6 -j ACCEPT sudo iptables -I INPUT -i vif* -j DROP (not sure if vif* is the right syntax, but there is some way to use wildcards for the interface name) you should be okay. But you also need to put these commands into the qubes firewall script in /rw/config to make sure the rules get re-inserted when a new AppVM connects to sys-net and Qubes regenerates all the iptables rules to include the newly created interface. Frank -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/A59F6D5E-A6F3-47D3-A5AA-DBCB80660041%40schaeckermann.net.
Re: [qubes-users] Could use some help with my iptables configuration
On 11/23/19 9:33 AM, swisspal...@firemail.cc wrote: Hello, I want to achieve the following: sys-net should only be accessible by sys-firewall and sys-firewall should only be accessible by sys-whonix. No AppVM should be able to connect to the internet if I set sys-net or sys-firewall as NetVM. Internet access should only be possible via sys-whonix. What I tried so far is: I flushed the INPUT chain on sys-net and applied these 2 commands sudo iptables -I INPUT -i vif5.0 -s 10.137.0.6 -j ACCEPT (10.137.0.6) is the IP of sys-firewall sudo iptables -I INPUT -i vif5.0 -j DROP This configuration already kind of works. If I create a new AppVM and connect it to sys-net then I can not even ping sys-net anymore. But then I noticed that another vif interface on sys-net came up as soon as I connected the new AppVM. This is confusing me as I'm afraid that that could lead to potential leaks in the future. I am unsure how I should proceed with the configuration of this setup. I don't know much about networking and especially because it is on Qubes it's a bit more difficult to be sure of how things work. I presume that I probably should make a specific NAT rule but I really have no clue. What I also don't understand is: - Are the IPs that are assigned to the VMs static or do they change over time? If they change, can I make them static? IIRC they're dynamic. - Will the flushing of a chain in a fresh VM interfere with the functionality of the VM? I saw QBS-Forwarding rules and so on. I guess it's not a good idea to delete those. QBS-Forwarding will stomp over what you try to add there. Its managed by Qubes. However, it exists in order to allow FORWARD to be user-managed. One way to do it might be to allow only one downstream vif in sys-firewall: Add a general eth0 block on top of the FORWARD chain. Then, have a script that waits for the first vif to appear; when it does, add FORWARD rule to allow it, then exit the script. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/767b2063-be96-3883-d9db-912690f059fc%40posteo.net.
[qubes-users] Could use some help with my iptables configuration
Hello, I want to achieve the following: sys-net should only be accessible by sys-firewall and sys-firewall should only be accessible by sys-whonix. No AppVM should be able to connect to the internet if I set sys-net or sys-firewall as NetVM. Internet access should only be possible via sys-whonix. What I tried so far is: I flushed the INPUT chain on sys-net and applied these 2 commands sudo iptables -I INPUT -i vif5.0 -s 10.137.0.6 -j ACCEPT (10.137.0.6) is the IP of sys-firewall sudo iptables -I INPUT -i vif5.0 -j DROP This configuration already kind of works. If I create a new AppVM and connect it to sys-net then I can not even ping sys-net anymore. But then I noticed that another vif interface on sys-net came up as soon as I connected the new AppVM. This is confusing me as I'm afraid that that could lead to potential leaks in the future. I am unsure how I should proceed with the configuration of this setup. I don't know much about networking and especially because it is on Qubes it's a bit more difficult to be sure of how things work. I presume that I probably should make a specific NAT rule but I really have no clue. What I also don't understand is: - Are the IPs that are assigned to the VMs static or do they change over time? If they change, can I make them static? - Will the flushing of a chain in a fresh VM interfere with the functionality of the VM? I saw QBS-Forwarding rules and so on. I guess it's not a good idea to delete those. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d744e58ff78ad2d9232b97dcdaa36c3a%40firemail.cc.