mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-10-01 01:25:40 -04:00
44 lines
2.1 KiB
Markdown
44 lines
2.1 KiB
Markdown
---
|
|
layout: doc
|
|
title: Networking
|
|
permalink: /doc/networking/
|
|
redirect_from:
|
|
- /doc/qubes-net/
|
|
- /en/doc/qubes-net/
|
|
- /doc/QubesNet/
|
|
- /wiki/QubesNet/
|
|
---
|
|
|
|
VM network in Qubes
|
|
===================
|
|
|
|
Overall description
|
|
-------------------
|
|
|
|
In Qubes, the standard Xen networking is used, based on backend driver in the driver domain and frontend drivers in VMs. In order to eliminate layer 2 attacks originating from a compromised VM, routed networking is used instead of the default bridging of `vif` devices. The default *vif-route* script had some deficiencies (requires `eth0` device to be up, and sets some redundant iptables rules), therefore the custom *vif-route-qubes* script is used.
|
|
|
|
The IP address of `eth0` interface in AppVM, as well as two IP addresses to be used as nameservers (`DNS1` and `DNS2`), are passed via xenstore to AppVM during its boot (thus, there is no need for DHCP daemon in the network driver domain). `DNS1` and `DNS2` are private addresses; whenever an interface is brought up in the network driver domain, the */usr/lib/qubes/qubes\_setup\_dnat\_to\_ns* script sets up the DNAT iptables rules translating `DNS1` and `DNS2` to the newly learned real dns servers. This way AppVM networking configuration does not need to be changed when configuration in the network driver domain changes (e.g. user switches to a different WLAN). Moreover, in the network driver domain, there is no DNS server either, and consequently there are no ports open to the VMs.
|
|
|
|
Routing tables examples
|
|
-----------------------
|
|
|
|
VM routing table is simple:
|
|
|
|
||
|
|
|Destination|Gateway|Genmask|Flags|Metric|Ref|Use|Iface|
|
|
|0.0.0.0|0.0.0.0|0.0.0.0|U|0|0|0|eth0|
|
|
|
|
Network driver domain routing table is a bit longer:
|
|
|
|
||
|
|
|Destination|Gateway|Genmask|Flags|Metric|Ref|Use|Iface|
|
|
|10.2.0.16|0.0.0.0|255.255.255.255|UH|0|0|0|vif4.0|
|
|
|10.2.0.7|0.0.0.0|255.255.255.255|UH|0|0|0|vif10.0|
|
|
|10.2.0.9|0.0.0.0|255.255.255.255|UH|0|0|0|vif9.0|
|
|
|10.2.0.8|0.0.0.0|255.255.255.255|UH|0|0|0|vif8.0|
|
|
|10.2.0.12|0.0.0.0|255.255.255.255|UH|0|0|0|vif3.0|
|
|
|192.168.0.0|0.0.0.0|255.255.255.0|U|1|0|0|eth0|
|
|
|0.0.0.0|192.168.0.1|0.0.0.0|UG|0|0|0|eth0|
|
|
|
|
|