diff options
| author | Jimmy Axenhus <github att axenhus doot com> | 2021-02-28 16:29:27 +0100 |
|---|---|---|
| committer | Jimmy Axenhus <github att axenhus doot com> | 2021-02-28 16:29:27 +0100 |
| commit | 362206287265a8963abe9ee3f7fdec7f586502ac (patch) | |
| tree | 4e349d8dcf193105ccf4e40bd635a9947ccc572b /qubes-firewall.d/95-qubes-vpn-exclude | |
| download | qubes-vpn-exclude-362206287265a8963abe9ee3f7fdec7f586502ac.tar.bz2 qubes-vpn-exclude-362206287265a8963abe9ee3f7fdec7f586502ac.tar.zst qubes-vpn-exclude-362206287265a8963abe9ee3f7fdec7f586502ac.zip | |
Initial commit
Diffstat (limited to 'qubes-firewall.d/95-qubes-vpn-exclude')
| -rw-r--r-- | qubes-firewall.d/95-qubes-vpn-exclude | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/qubes-firewall.d/95-qubes-vpn-exclude b/qubes-firewall.d/95-qubes-vpn-exclude new file mode 100644 index 0000000..b83c2f0 --- /dev/null +++ b/qubes-firewall.d/95-qubes-vpn-exclude @@ -0,0 +1,44 @@ +#!/bin/bash + +set -e + +if [ -e /var/run/qubes/this-is-templatevm ] || \ + [ ! -e /var/run/qubes-service/vpn-exclude-domains ]; then + exit 0 +fi + +iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Open to external DNS server for this VM +iptables -I OUTPUT -o eth0 -m tcp -p tcp --dport 53 -j ACCEPT +iptables -I OUTPUT -o eth0 -m udp -p udp --dport 53 -j ACCEPT + +# Force proxied VMs to query local dnsmasq +iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1 +iptables -t nat -I PREROUTING -i vif+ -p udp --dport 53 -j DNAT --to-destination 127.0.0.1 + +# Allow local DNS service to accept requests and send replies. +iptables -I INPUT -i vif+ -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT +iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT +iptables -I OUTPUT -o vif+ -p udp --sport 53 -s 127.0.0.1 -j ACCEPT + +# This script is executed before dnsmasq goes up so we need to create ipsets here. +# If they exists it's fine. +ipset create qubes-vpn-exclude-4 hash:ip &> /dev/null || true +ipset create qubes-vpn-exclude-6 hash:ip family inet6 &> /dev/null || true + +# Allow proxied VMs to make external HTTP and HTTPS requests for excluded domains +iptables -I FORWARD -o eth0 -p tcp -m tcp --dport 80 -m set --match-set qubes-vpn-exclude-4 dst -j ACCEPT +iptables -I FORWARD -o eth0 -p tcp -m tcp --dport 443 -m set --match-set qubes-vpn-exclude-4 dst -j ACCEPT +ip6tables -I FORWARD -o eth0 -p tcp -m tcp --dport 80 -m set --match-set qubes-vpn-exclude-6 dst -j ACCEPT +ip6tables -I FORWARD -o eth0 -p tcp -m tcp --dport 443 -m set --match-set qubes-vpn-exclude-6 dst -j ACCEPT + +# Allow the ProxyVM to connect too. +iptables -I OUTPUT -o eth0 -m tcp -p tcp --dport 80 -m set --match-set qubes-vpn-exclude-4 dst -j ACCEPT +iptables -I OUTPUT -o eth0 -m tcp -p tcp --dport 443 -m set --match-set qubes-vpn-exclude-4 dst -j ACCEPT +ip6tables -I OUTPUT -o eth0 -m tcp -p tcp --dport 80 -m set --match-set qubes-vpn-exclude-6 dst -j ACCEPT +ip6tables -I OUTPUT -o eth0 -m tcp -p tcp --dport 443 -m set --match-set qubes-vpn-exclude-6 dst -j ACCEPT + +sysctl -q -w net.ipv4.conf.all.route_localnet=1 net.ipv4.conf.default.route_localnet=1 net.ipv4.conf.eth0.route_localnet=0 +sysctl -q -w net.ipv6.conf.all.forwarding=1 |