mirror of
https://github.com/ben-grande/qusal.git
synced 2024-10-01 02:35:49 -04:00
refactor: pihole nft rules for Qubes 4.2
This commit is contained in:
parent
224d2d5f69
commit
6a551eba67
7
salt/sys-pihole/files/server/dnsmasq.d/00-pihole.conf
Normal file
7
salt/sys-pihole/files/server/dnsmasq.d/00-pihole.conf
Normal file
@ -0,0 +1,7 @@
|
||||
# SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
# vim: ft=dnsmasq
|
||||
|
||||
interface=lo
|
||||
bind-interfaces
|
@ -7,4 +7,9 @@
|
||||
|
||||
set -eu
|
||||
|
||||
nft -f /rw/config/network-hooks.d/flush
|
||||
nft -f /rw/config/qubes-firewall.d/50-sys-pihole
|
||||
|
||||
for vif in /proc/sys/net/ipv4/conf/vif*/route_localnet; do
|
||||
test -w "${vif}" || continue
|
||||
echo 1 | tee "${vif}" >/dev/null
|
||||
done
|
@ -1,13 +0,0 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
flush chain ip qubes dnat-dns
|
||||
flush chain ip6 qubes dnat-dns
|
||||
|
||||
insert rule ip qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
insert rule ip qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
||||
insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
@ -1,9 +0,0 @@
|
||||
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
auto eth0
|
||||
iface eth0 inet static
|
||||
address
|
||||
netmask 255.0.0.0
|
||||
gateway
|
29
salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole
Normal file
29
salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole
Normal file
@ -0,0 +1,29 @@
|
||||
#!/usr/sbin/nft -f
|
||||
# vim: ft=nftables
|
||||
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
add chain ip6 qubes dnat-dns { type nat hook prerouting priority dstnat; policy accept; }
|
||||
|
||||
flush chain ip qubes dnat-dns
|
||||
flush chain ip6 qubes dnat-dns
|
||||
insert rule ip qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
insert rule ip qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
||||
insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to ::1
|
||||
insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to ::1
|
||||
|
||||
flush chain ip qubes custom-forward
|
||||
flush chain ip6 qubes custom-forward
|
||||
insert rule ip qubes custom-forward tcp dport 53 drop
|
||||
insert rule ip qubes custom-forward udp dport 53 drop
|
||||
insert rule ip6 qubes custom-forward tcp dport 53 drop
|
||||
insert rule ip6 qubes custom-forward udp dport 53 drop
|
||||
|
||||
flush chain ip qubes custom-input
|
||||
flush chain ip6 qubes custom-input
|
||||
insert rule ip qubes custom-input iifname "vif*" tcp dport 53 accept
|
||||
insert rule ip qubes custom-input iifname "vif*" udp dport 53 accept
|
||||
insert rule ip6 qubes custom-input iifname "vif*" tcp dport 53 accept
|
||||
insert rule ip6 qubes custom-input iifname "vif*" udp dport 53 accept
|
@ -1,18 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
set -eu
|
||||
|
||||
nft insert rule ip qubes custom-forward tcp dport 53 drop
|
||||
nft insert rule ip qubes custom-forward udp dport 53 drop
|
||||
|
||||
## TODO: Is this working?
|
||||
handle="$(nft -a list table qubes |
|
||||
awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}')"
|
||||
|
||||
nft add rule ip qubes custom-input position "$handle" iifname "vif*" tcp dport 53 accept
|
||||
nft add rule ip qubes custom-input position "$handle" iifname "vif*" udp dport 53 accept
|
@ -1,15 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
set -eu
|
||||
|
||||
for vif in /proc/sys/net/ipv4/conf/vif*; do
|
||||
test -d "${vif}" || continue
|
||||
test -f "${vif}/route_localnet" || continue
|
||||
test -w "${vif}/route_localnet" || continue
|
||||
echo 1 | tee "${vif}/route_localnet"
|
||||
done
|
@ -1,18 +0,0 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
|
||||
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
#flush chain nat PR-QBS
|
||||
#insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
#insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
||||
|
||||
flush chain ip qubes dnat-dns
|
||||
flush chain ip6 qubes dnat-dns
|
||||
|
||||
insert rule ip qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
insert rule ip qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
||||
insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
|
||||
insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
|
@ -12,37 +12,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
include:
|
||||
- dotfiles.copy-x11
|
||||
|
||||
{% set qubes_ip = salt['cmd.shell']('qubesdb-read /qubes-ip') %}
|
||||
{% set qubes_gateway = salt['cmd.shell']('qubesdb-read /qubes-gateway') %}
|
||||
|
||||
"{{ slsdotpath }}-set-eth0-interface":
|
||||
file.managed:
|
||||
- name: /etc/network/interfaces.d/eth0
|
||||
- source: salt://{{ slsdotpath }}/files/server/network/eth0
|
||||
- mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-set-ip":
|
||||
file.line:
|
||||
- name: /etc/network/interfaces.d/eth0
|
||||
- match: address
|
||||
- mode: replace
|
||||
- content: "address {{ qubes_ip }}"
|
||||
|
||||
"{{ slsdotpath }}-set-gateway":
|
||||
file.line:
|
||||
- name: /etc/network/interfaces.d/eth0
|
||||
- match: gateway
|
||||
- mode: replace
|
||||
- content: "gateway {{ qubes_gateway }}"
|
||||
|
||||
"{{ slsdotpath }}-restart-networking":
|
||||
cmd.run:
|
||||
- name: systemctl restart networking
|
||||
- runas: root
|
||||
|
||||
"{{ slsdotpath }}-updated":
|
||||
pkg.uptodate:
|
||||
- refresh: True
|
||||
@ -71,6 +40,7 @@ include:
|
||||
- php-sqlite3
|
||||
- php-xml
|
||||
- unzip
|
||||
- bash-completion
|
||||
|
||||
"{{ slsdotpath }}-disable-external-admin-interface":
|
||||
file.managed:
|
||||
@ -152,57 +122,32 @@ include:
|
||||
- cwd: '/root/pi-hole/automated install'
|
||||
- runas: root
|
||||
|
||||
"{{ slsdotpath }}-firewall-nat":
|
||||
"{{ slsdotpath }}-firewall":
|
||||
file.managed:
|
||||
- name: /rw/config/qubes-firewall.d/70-sys-pihole-nat
|
||||
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/70-sys-pihole-nat
|
||||
- name: /rw/config/qubes-firewall.d/50-sys-pihole
|
||||
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-pihole
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-firewall-filter":
|
||||
"{{ slsdotpath }}-network-hooks":
|
||||
file.managed:
|
||||
- name: /rw/config/qubes-firewall.d/50-sys-pihole-filter
|
||||
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-pihole-filter
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-firewall-internalise":
|
||||
file.managed:
|
||||
- name: /rw/config/network-hooks.d/60-sys-pihole-internalise
|
||||
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/60-sys-pihole-internalise
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-firewall-flush":
|
||||
file.managed:
|
||||
- name: /rw/config/network-hooks.d/flush.sh
|
||||
- source: salt://{{ slsdotpath }}/files/server/network-hooks.d/flush.sh
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-firewall-flush-rules":
|
||||
file.managed:
|
||||
- name: /rw/config/network-hooks.d/flush
|
||||
- source: salt://{{ slsdotpath }}/files/server/network-hooks.d/flush
|
||||
- name: /rw/config/network-hooks.d/50-sys-pihole.sh
|
||||
- source: salt://{{ slsdotpath }}/files/server/network-hooks.d/50-sys-pihole.sh
|
||||
- mode: '0755'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-dnsmasq":
|
||||
file.prepend:
|
||||
- name: /etc/dnsmasq.conf
|
||||
- text:
|
||||
- interface=lo
|
||||
- bind-interfaces
|
||||
file.managed:
|
||||
- name: /etc/dnsmasq.d/00-pihole.conf
|
||||
- source: salt://{{ slsdotpath }}/files/server/dnsmasq.d/00-pihole.conf
|
||||
- mode: '0644'
|
||||
- user: root
|
||||
- group: root
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-desktop-application-browser":
|
||||
file.managed:
|
||||
|
Loading…
Reference in New Issue
Block a user