2.1 KiB
| layout | title | permalink | redirect_from | ||||
|---|---|---|---|---|---|---|---|
| doc | Networking | /doc/networking/ |
|
VM network in Qubes
Overall description
In Qubes, the standard Xen networking is used, based on backend driver in the driver domain and frontend drivers in VMs. In order to eliminate layer 2 attacks originating from a compromised VM, routed networking is used instead of the default bridging of vif devices. The default vif-route script had some deficiencies (requires eth0 device to be up, and sets some redundant iptables rules), therefore the custom vif-route-qubes script is used.
The IP address of eth0 interface in AppVM, as well as two IP addresses to be used as nameservers (DNS1 and DNS2), are passed via xenstore to AppVM during its boot (thus, there is no need for DHCP daemon in the network driver domain). DNS1 and DNS2 are private addresses; whenever an interface is brought up in the network driver domain, the /usr/lib/qubes/qubes_setup_dnat_to_ns script sets up the DNAT iptables rules translating DNS1 and DNS2 to the newly learned real dns servers. This way AppVM networking configuration does not need to be changed when configuration in the network driver domain changes (e.g. user switches to a different WLAN). Moreover, in the network driver domain, there is no DNS server either, and consequently there are no ports open to the VMs.
Routing tables examples
VM routing table is simple:
|| |Destination|Gateway|Genmask|Flags|Metric|Ref|Use|Iface| |0.0.0.0|0.0.0.0|0.0.0.0|U|0|0|0|eth0|
Network driver domain routing table is a bit longer:
|| |Destination|Gateway|Genmask|Flags|Metric|Ref|Use|Iface| |10.2.0.16|0.0.0.0|255.255.255.255|UH|0|0|0|vif4.0| |10.2.0.7|0.0.0.0|255.255.255.255|UH|0|0|0|vif10.0| |10.2.0.9|0.0.0.0|255.255.255.255|UH|0|0|0|vif9.0| |10.2.0.8|0.0.0.0|255.255.255.255|UH|0|0|0|vif8.0| |10.2.0.12|0.0.0.0|255.255.255.255|UH|0|0|0|vif3.0| |192.168.0.0|0.0.0.0|255.255.255.0|U|1|0|0|eth0| |0.0.0.0|192.168.0.1|0.0.0.0|UG|0|0|0|eth0|