From 50d6777c992fb4f687ae1374b59073fe9af853ac Mon Sep 17 00:00:00 2001 From: Jimmy Axenhus Date: Mon, 1 Mar 2021 12:59:19 +0100 Subject: Improve comments for the firewall script --- qubes-firewall.d/95-qubes-vpn-exclude | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/qubes-firewall.d/95-qubes-vpn-exclude b/qubes-firewall.d/95-qubes-vpn-exclude index d1ee58a..b37751b 100644 --- a/qubes-firewall.d/95-qubes-vpn-exclude +++ b/qubes-firewall.d/95-qubes-vpn-exclude @@ -13,10 +13,13 @@ ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Open to external DNS server for this VM iptables -I OUTPUT -o eth0 -m tcp -p tcp --dport 53 -j ACCEPT iptables -I OUTPUT -o eth0 -m udp -p udp --dport 53 -j ACCEPT + +# Open to VPN DNS server for this VM iptables -I OUTPUT -o tun0 -m tcp -p tcp --dport 53 -j ACCEPT iptables -I OUTPUT -o tun0 -m udp -p udp --dport 53 -j ACCEPT +iptables -I INPUT -i tun0 -p udp --dport 53 -d 127.0.0.1 -j ACCEPT -# Force proxied VMs to query local dnsmasq +# Force proxied VMs to query local DNS server iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1 iptables -t nat -I PREROUTING -i vif+ -p udp --dport 53 -j DNAT --to-destination 127.0.0.1 @@ -24,7 +27,6 @@ iptables -t nat -I PREROUTING -i vif+ -p udp --dport 53 -j DNAT --to-destination iptables -I INPUT -i vif+ -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT iptables -I OUTPUT -o vif+ -p udp --sport 53 -s 127.0.0.1 -j ACCEPT -iptables -I INPUT -i tun0 -p udp --dport 53 -d 127.0.0.1 -j ACCEPT # This script is executed before dnsmasq goes up so we need to create ipsets here. # If they exists it's fine. -- cgit v1.2.3