mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-25 07:19:33 -05:00
Merge branch 'patch-5' of github.com:GWeck/qubes-doc into GWeck-patch-5
This commit is contained in:
commit
8d38056373
@ -268,22 +268,24 @@ Note the IP addresses you will need.
|
|||||||
|
|
||||||
**2. Route packets from the outside world to the FirewallVM**
|
**2. Route packets from the outside world to the FirewallVM**
|
||||||
|
|
||||||
|
For the following example, we assume that the physical interface eth0 in sys-net has the IP address 192.168.x.y and that the IP address of sys-firewall is 10.137.1.z.
|
||||||
|
|
||||||
In the sys-net VM's Terminal, code a natting firewall rule to route traffic on the outside interface for the service to the sys-firewall VM
|
In the sys-net VM's Terminal, code a natting firewall rule to route traffic on the outside interface for the service to the sys-firewall VM
|
||||||
|
|
||||||
```
|
```
|
||||||
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.x -j DNAT --to-destination 10.137.1.x
|
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.y -j DNAT --to-destination 10.137.1.z
|
||||||
```
|
```
|
||||||
|
|
||||||
Code the appropriate new filtering firewall rule to allow new connections for the service
|
Code the appropriate new filtering firewall rule to allow new connections for the service
|
||||||
|
|
||||||
```
|
```
|
||||||
iptables -I FORWARD 2 -i eth0 -d 10.137.1.x -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
|
iptables -I FORWARD 2 -i eth0 -d 10.137.1.z -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
```
|
```
|
||||||
|
|
||||||
> If you want to expose the service on multiple interfaces, repeat the steps described in part 1 for each interface.
|
> If you want to expose the service on multiple interfaces, repeat the steps described in part 1 for each interface.
|
||||||
> In Qubes R4, at the moment ([QubesOS/qubes-issues#3644](https://github.com/QubesOS/qubes-issues/issues/3644)), nftables is also used which imply that additional rules need to be set in a `qubes-firewall` nft table with a forward chain.
|
> In Qubes R4, at the moment ([QubesOS/qubes-issues#3644](https://github.com/QubesOS/qubes-issues/issues/3644)), nftables is also used which imply that additional rules need to be set in a `qubes-firewall` nft table with a forward chain.
|
||||||
|
|
||||||
`nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.x tcp dport 443 ct state new counter accept`
|
`nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.1.z tcp dport 443 ct state new counter accept`
|
||||||
|
|
||||||
Verify you are cutting through the sys-net VM firewall by looking at its counters (column 2)
|
Verify you are cutting through the sys-net VM firewall by looking at its counters (column 2)
|
||||||
|
|
||||||
@ -301,7 +303,7 @@ nft list table ip qubes-firewall
|
|||||||
Send a test packet by trying to connect to the service from an external device
|
Send a test packet by trying to connect to the service from an external device
|
||||||
|
|
||||||
```
|
```
|
||||||
telnet 192.168.x.x 443
|
telnet 192.168.x.y 443
|
||||||
```
|
```
|
||||||
|
|
||||||
Once you have confirmed that the counters increase, store these command in `/rw/config/rc.local` so they get set on sys-net start-up
|
Once you have confirmed that the counters increase, store these command in `/rw/config/rc.local` so they get set on sys-net start-up
|
||||||
@ -320,8 +322,8 @@ sudo nano /rw/config/rc.local
|
|||||||
# Create a new firewall natting chain for my service
|
# Create a new firewall natting chain for my service
|
||||||
if iptables -w -t nat -N MY-HTTPS; then
|
if iptables -w -t nat -N MY-HTTPS; then
|
||||||
|
|
||||||
# Add a natting rule if it did not exit (to avoid cluter if script executed multiple times)
|
# Add a natting rule if it did not exist (to avoid clutter if script executed multiple times)
|
||||||
iptables -w -t nat -A MY-HTTPS -j DNAT --to-destination 10.137.1.x
|
iptables -w -t nat -A MY-HTTPS -j DNAT --to-destination 10.137.1.z
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -330,7 +332,7 @@ fi
|
|||||||
if ! iptables -w -t nat -n -L PREROUTING | grep --quiet MY-HTTPS; then
|
if ! iptables -w -t nat -n -L PREROUTING | grep --quiet MY-HTTPS; then
|
||||||
|
|
||||||
# add a natting rule for the traffic (same reason)
|
# add a natting rule for the traffic (same reason)
|
||||||
iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.0.x -j MY-HTTPS
|
iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.y -j MY-HTTPS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@ -340,7 +342,7 @@ fi
|
|||||||
# Create a new firewall filtering chain for my service
|
# Create a new firewall filtering chain for my service
|
||||||
if iptables -w -N MY-HTTPS; then
|
if iptables -w -N MY-HTTPS; then
|
||||||
|
|
||||||
# Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times)
|
# Add a filtering rule if it did not exist (to avoid clutter if script executed multiple times)
|
||||||
iptables -w -A MY-HTTPS -s 192.168.x.0/24 -j ACCEPT
|
iptables -w -A MY-HTTPS -s 192.168.x.0/24 -j ACCEPT
|
||||||
|
|
||||||
fi
|
fi
|
||||||
@ -349,7 +351,7 @@ fi
|
|||||||
if ! iptables -w -n -L FORWARD | grep --quiet MY-HTTPS; then
|
if ! iptables -w -n -L FORWARD | grep --quiet MY-HTTPS; then
|
||||||
|
|
||||||
# add a forward rule for the traffic (same reason)
|
# add a forward rule for the traffic (same reason)
|
||||||
iptables -w -I FORWARD 2 -d 10.137.1.x -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS
|
iptables -w -I FORWARD 2 -d 10.137.1.z -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS
|
||||||
|
|
||||||
fi
|
fi
|
||||||
~~~
|
~~~
|
||||||
@ -364,23 +366,25 @@ fi
|
|||||||
if nft -nn list table ip qubes-firewall | grep "tcp dport 443 ct state new"; then
|
if nft -nn list table ip qubes-firewall | grep "tcp dport 443 ct state new"; then
|
||||||
|
|
||||||
# Add a filtering rule
|
# Add a filtering rule
|
||||||
nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.x tcp dport 443 ct state new counter accept
|
nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.1.z tcp dport 443 ct state new counter accept
|
||||||
|
|
||||||
fi
|
fi
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
**3. Route packets from the FirewallVM to the VM**
|
**3. Route packets from the FirewallVM to the VM**
|
||||||
|
|
||||||
|
For the following example, we use the fact that the physical interface of sys-firewall, facing sys-net, is eth0. Furthermore, we assume that the target VM running the web server has the IP address 10.137.0.xx and that the IP address of sys-firewall is 10.137.1.z.
|
||||||
|
|
||||||
In the sys-firewall VM's Terminal, code a natting firewall rule to route traffic on its outside interface for the service to the qube
|
In the sys-firewall VM's Terminal, code a natting firewall rule to route traffic on its outside interface for the service to the qube
|
||||||
|
|
||||||
```
|
```
|
||||||
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.1.x -j DNAT --to-destination 10.137.2.y
|
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.1.z -j DNAT --to-destination 10.137.0.xx
|
||||||
```
|
```
|
||||||
|
|
||||||
Code the appropriate new filtering firewall rule to allow new connections for the service
|
Code the appropriate new filtering firewall rule to allow new connections for the service
|
||||||
|
|
||||||
```
|
```
|
||||||
iptables -I FORWARD 2 -i eth0 -s 192.168.x.0/24 -d 10.137.2.y -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
|
iptables -I FORWARD 2 -i eth0 -s 192.168.x.0/24 -d 10.137.0.xx -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
|
||||||
```
|
```
|
||||||
|
|
||||||
> Note: If you do not wish to limit the IP addresses connecting to the service, remove the ` -s 192.168.0.1/24 `
|
> Note: If you do not wish to limit the IP addresses connecting to the service, remove the ` -s 192.168.0.1/24 `
|
||||||
@ -388,7 +392,7 @@ iptables -I FORWARD 2 -i eth0 -s 192.168.x.0/24 -d 10.137.2.y -p tcp --dport 443
|
|||||||
> Note: On Qubes R4
|
> Note: On Qubes R4
|
||||||
|
|
||||||
```
|
```
|
||||||
nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.y tcp dport 443 ct state new counter accept
|
nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.xx tcp dport 443 ct state new counter accept
|
||||||
```
|
```
|
||||||
|
|
||||||
Once you have confirmed that the counters increase, store these command in `/rw/config/qubes-firewall-user-script`
|
Once you have confirmed that the counters increase, store these command in `/rw/config/qubes-firewall-user-script`
|
||||||
@ -407,8 +411,8 @@ sudo nano /rw/config/qubes-firewall-user-script
|
|||||||
# Create a new firewall natting chain for my service
|
# Create a new firewall natting chain for my service
|
||||||
if iptables -w -t nat -N MY-HTTPS; then
|
if iptables -w -t nat -N MY-HTTPS; then
|
||||||
|
|
||||||
# Add a natting rule if it did not exit (to avoid cluter if script executed multiple times)
|
# Add a natting rule if it did not exist (to avoid clutter if script executed multiple times)
|
||||||
iptables -w -t nat -A MY-HTTPS -j DNAT --to-destination 10.137.2.y
|
iptables -w -t nat -A MY-HTTPS -j DNAT --to-destination 10.137.0.xx
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -417,7 +421,7 @@ fi
|
|||||||
if ! iptables -w -t nat -n -L PREROUTING | grep --quiet MY-HTTPS; then
|
if ! iptables -w -t nat -n -L PREROUTING | grep --quiet MY-HTTPS; then
|
||||||
|
|
||||||
# add a natting rule for the traffic (same reason)
|
# add a natting rule for the traffic (same reason)
|
||||||
iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.1.x -j MY-HTTPS
|
iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.1.z -j MY-HTTPS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
@ -427,7 +431,7 @@ fi
|
|||||||
# Create a new firewall filtering chain for my service
|
# Create a new firewall filtering chain for my service
|
||||||
if iptables -w -N MY-HTTPS; then
|
if iptables -w -N MY-HTTPS; then
|
||||||
|
|
||||||
# Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times)
|
# Add a filtering rule if it did not exist (to avoid clutter if script executed multiple times)
|
||||||
iptables -w -A MY-HTTPS -s 192.168.x.0/24 -j ACCEPT
|
iptables -w -A MY-HTTPS -s 192.168.x.0/24 -j ACCEPT
|
||||||
|
|
||||||
fi
|
fi
|
||||||
@ -436,7 +440,7 @@ fi
|
|||||||
if ! iptables -w -n -L FORWARD | grep --quiet MY-HTTPS; then
|
if ! iptables -w -n -L FORWARD | grep --quiet MY-HTTPS; then
|
||||||
|
|
||||||
# add a forward rule for the traffic (same reason)
|
# add a forward rule for the traffic (same reason)
|
||||||
iptables -w -I FORWARD 4 -d 10.137.2.y -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS
|
iptables -w -I FORWARD 4 -d 10.137.0.xx -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -447,7 +451,7 @@ fi
|
|||||||
if ! nft -nn list table ip qubes-firewall | grep "tcp dport 443 ct state new"; then
|
if ! nft -nn list table ip qubes-firewall | grep "tcp dport 443 ct state new"; then
|
||||||
|
|
||||||
# Add a filtering rule
|
# Add a filtering rule
|
||||||
nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.y tcp dport 443 ct state new counter accept
|
nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.xx tcp dport 443 ct state new counter accept
|
||||||
|
|
||||||
fi
|
fi
|
||||||
~~~
|
~~~
|
||||||
@ -458,13 +462,16 @@ Finally make this file executable (so it runs at every Firewall VM update)
|
|||||||
sudo chmod +x /rw/config/qubes-firewall-user-script
|
sudo chmod +x /rw/config/qubes-firewall-user-script
|
||||||
~~~
|
~~~
|
||||||
|
|
||||||
|
If the service should be available to other VMs on the same system, do not forget to specify the additional rules described above.
|
||||||
|
|
||||||
**4. Allow packets into the qube to reach the service**
|
**4. Allow packets into the qube to reach the service**
|
||||||
|
|
||||||
Here no routing is required, only filtering.
|
Here no routing is required, only filtering.
|
||||||
Proceed in the same way as above but store the filtering rule in the `/rw/config/rc.local` script.
|
Proceed in the same way as above but store the filtering rule in the `/rw/config/rc.local` script.
|
||||||
|
For the following example, we assume that the target VM running the web server has the IP address 10.137.0.xx
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo name /rw/config/rc.local
|
sudo nano /rw/config/rc.local
|
||||||
```
|
```
|
||||||
|
|
||||||
~~~
|
~~~
|
||||||
@ -474,7 +481,7 @@ sudo name /rw/config/rc.local
|
|||||||
# Create a new firewall filtering chain for my service
|
# Create a new firewall filtering chain for my service
|
||||||
if iptables -w -N MY-HTTPS; then
|
if iptables -w -N MY-HTTPS; then
|
||||||
|
|
||||||
# Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times)
|
# Add a filtering rule if it did not exist (to avoid clutter if script executed multiple times)
|
||||||
iptables -w -A MY-HTTPS -j ACCEPT
|
iptables -w -A MY-HTTPS -j ACCEPT
|
||||||
|
|
||||||
fi
|
fi
|
||||||
@ -483,7 +490,7 @@ fi
|
|||||||
if ! iptables -w -n -L INPUT | grep --quiet MY-HTTPS; then
|
if ! iptables -w -n -L INPUT | grep --quiet MY-HTTPS; then
|
||||||
|
|
||||||
# add a forward rule for the traffic (same reason)
|
# add a forward rule for the traffic (same reason)
|
||||||
iptables -w -I INPUT 5 -d 10.137.2.x -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS
|
iptables -w -I INPUT 5 -d 10.137.0.xx -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS
|
||||||
|
|
||||||
fi
|
fi
|
||||||
~~~
|
~~~
|
||||||
|
Loading…
Reference in New Issue
Block a user