diff options
author | Jimmy Axenhus <github att axenhus doot com> | 2021-03-01 10:10:17 +0100 |
---|---|---|
committer | GitHub <noreply att github doot com> | 2021-03-01 10:10:17 +0100 |
commit | 01e87ef6ced1446133a0c98b15c9d74d12f8819d (patch) | |
tree | c495413677fc71236a0526edcc728c3d58e694b0 /qubes-firewall.d/95-qubes-vpn-exclude | |
parent | 7271689b222389e949e6b10aaf6713c9c6aaab12 (diff) | |
download | qubes-vpn-exclude-01e87ef6ced1446133a0c98b15c9d74d12f8819d.tar.bz2 qubes-vpn-exclude-01e87ef6ced1446133a0c98b15c9d74d12f8819d.tar.zst qubes-vpn-exclude-01e87ef6ced1446133a0c98b15c9d74d12f8819d.zip |
Fixed dropped queries for the VPN DNS.
Diffstat (limited to 'qubes-firewall.d/95-qubes-vpn-exclude')
-rw-r--r-- | qubes-firewall.d/95-qubes-vpn-exclude | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/qubes-firewall.d/95-qubes-vpn-exclude b/qubes-firewall.d/95-qubes-vpn-exclude index b83c2f0..d1ee58a 100644 --- a/qubes-firewall.d/95-qubes-vpn-exclude +++ b/qubes-firewall.d/95-qubes-vpn-exclude @@ -13,6 +13,8 @@ ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Open to external DNS server for this VM iptables -I OUTPUT -o eth0 -m tcp -p tcp --dport 53 -j ACCEPT iptables -I OUTPUT -o eth0 -m udp -p udp --dport 53 -j ACCEPT +iptables -I OUTPUT -o tun0 -m tcp -p tcp --dport 53 -j ACCEPT +iptables -I OUTPUT -o tun0 -m udp -p udp --dport 53 -j ACCEPT # Force proxied VMs to query local dnsmasq iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1 @@ -22,6 +24,7 @@ iptables -t nat -I PREROUTING -i vif+ -p udp --dport 53 -j DNAT --to-destination iptables -I INPUT -i vif+ -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT iptables -I OUTPUT -o vif+ -p udp --sport 53 -s 127.0.0.1 -j ACCEPT +iptables -I INPUT -i tun0 -p udp --dport 53 -d 127.0.0.1 -j ACCEPT # This script is executed before dnsmasq goes up so we need to create ipsets here. # If they exists it's fine. |