From 536f795d4853439e48d3140e4fb2295677478fe5 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 15:02:30 +0200 Subject: [PATCH 1/4] proxyvm: allow for user defined hooks after iptables restore --- proxyvm/bin/qubes_firewall | 3 +++ 1 file changed, 3 insertions(+) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 13f5ba2..17761b2 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -35,4 +35,7 @@ while true; do # If OK save it for later /sbin/service iptables save >/dev/null fi + + # Check if user didn't define some custom rules to be applied as well... + [ -x /rw/config/qubes_firewall_user_script ] && /rw/config/qubes_firewall_user_script done From 8242e6fc5baa61d9bc1ce295ab05ed0d3a9a32c3 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 15:49:49 +0200 Subject: [PATCH 2/4] vm: allow user-define hook for IP change event This is especially useful for proxy VMs that e.g. run some transparent proxy service such as tor, and need to rebind it upon IP change (of course this assumes iptables-based transparent redirection such as DNAT). --- common/setup_ip | 1 + 1 file changed, 1 insertion(+) diff --git a/common/setup_ip b/common/setup_ip index ad42cf4..43d1439 100755 --- a/common/setup_ip +++ b/common/setup_ip @@ -19,6 +19,7 @@ if [ x$ip != x ]; then echo "NS1=$gateway" > /var/run/qubes/qubes_ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns /usr/lib/qubes/qubes_setup_dnat_to_ns + [ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook fi fi From 61d88dd8df70bc5f45b06f2572940aee6c6206a8 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 18:04:38 +0200 Subject: [PATCH 3/4] proxyvm: remove unused code --- proxyvm/bin/qubes_firewall | 4 ---- 1 file changed, 4 deletions(-) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 17761b2..6c7fe39 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -31,10 +31,6 @@ while true; do if [ "$OUT" ]; then DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : fi - if [[ -z "$OUT" ]]; then - # If OK save it for later - /sbin/service iptables save >/dev/null - fi # Check if user didn't define some custom rules to be applied as well... [ -x /rw/config/qubes_firewall_user_script ] && /rw/config/qubes_firewall_user_script From 81917388ef8f7395eb8daeb5094392d210076574 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 18:47:08 +0200 Subject: [PATCH 4/4] vm: disable forwarding when iptables rules are being (re)applied --- proxyvm/bin/qubes_firewall | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 6c7fe39..5a60a07 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -13,11 +13,20 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM while true; do + + echo "1" > /proc/sys/net/ipv4/ip_forward + # Wait for changes in xenstore file /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) if ! [ "$TRIGGER" = "reload" ]; then continue ; fi + + # Disable forarding to prevent potential "leaks" that might + # be bypassing the firewall or some proxy service (e.g. tor) + # during the time when the rules are being (re)applied + echo "0" > /proc/sys/net/ipv4/ip_forward + RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`