suzanne.soy/qubes-doc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Switch to 'su -' envs, quote vars, rm --dport 53

Browse Source 
Thanks Marek!
This commit is contained in:
ttasket 2016-06-04 22:46:18 -04:00
parent a09ec964ad
commit 88b4097c23
1 changed files with 5 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
configuration/vpn.md
View File

@ -105,10 +105,6 @@ Using a ProxyVM to set up a VPN client gives you the ability to:
iptables -A OUTPUT -p all -o eth0 -m owner --gid-owner qvpn \ iptables -A OUTPUT -p all -o eth0 -m owner --gid-owner qvpn \
-m state --state NEW,ESTABLISHED -j ACCEPT -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow queries to DNS server:
iptables -A OUTPUT -p udp -o eth0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow internal system connections: # Allow internal system connections:
iptables -I OUTPUT -o lo -j ACCEPT iptables -I OUTPUT -o lo -j ACCEPT
@ -126,17 +122,12 @@ Using a ProxyVM to set up a VPN client gives you the ability to:
#!/bin/bash #!/bin/bash
set -e set -e
# Pop-up notification variables
SPID=$(pgrep -U user -f dconf-service)
dbus=$(grep -z DBUS_SESSION_BUS_ADDRESS /proc/$SPID/environ|cut -d= -f2-)
export DBUS_SESSION_BUS_ADDRESS=$dbus
case "$1" in case "$1" in
up) up)
# To override DHCP DNS, assign static DNS addresses with 'setenv vpn_dns' in openvpn config; # To override DHCP DNS, assign static DNS addresses with 'setenv vpn_dns' in openvpn config;
# Format is 'X.X.X.X Y.Y.Y.Y [...]' with quotes. # Format is 'X.X.X.X Y.Y.Y.Y [...]' with quotes.
if [[ -z $vpn_dns ]] ; then if [[ -z "$vpn_dns" ]] ; then
# Parses DHCP options from openvpn to set DNS address translation: # Parses DHCP options from openvpn to set DNS address translation:
for optionname in ${!foreign_option_*} ; do for optionname in ${!foreign_option_*} ; do
option="${!optionname}" option="${!optionname}"
@ -146,20 +137,20 @@ up)
fi fi
iptables -t nat -F PR-QBS iptables -t nat -F PR-QBS
if [[ -n $vpn_dns ]] ; then if [[ -n "$vpn_dns" ]] ; then
# Set DNS address translation in firewall: # Set DNS address translation in firewall:
for addr in $vpn_dns; do for addr in $vpn_dns; do
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to $addr
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to $addr
done done
su -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
else else
su -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user su - -c 'notify-send "$(hostname): LINK UP, NO DNS!" --icon=dialog-error' user
fi fi
;; ;;
down) down)
su -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
;; ;;
esac esac
``` ```