On 09/12/2016 05:56 PM, Fredrik wrote:
I found some instructions on stackexhange but they are probably ment to be used
on the same computer as you are surfing from.
If I run this and disconnect my VPN nothing is blocked. What am I doing wrong?
iptables -P FORWARD DROP # we aren't a router
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT # my LAN and looks like I got an
internal ip from my VPN provider
iptables -A INPUT -s 196.52.17.0 -j ACCEPT # vpn ip
iptables -A INPUT -s 213.179.212.2 -j ACCEPT # vpn ip
iptables -A INPUT -s 213.179.208.146 -j ACCEPT # vpn ip
iptables -P INPUT DROP # Drop everything we don't accept
Traceroute from a VM
traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.137.2.1 (10.137.2.1) 2.430 ms 2.414 ms 2.404 ms
2 10.137.5.1 (10.137.5.1) 2.399 ms 2.383 ms 2.373 ms
3 10.137.1.1 (10.137.1.1) 2.526 ms 2.516 ms 2.498 ms
4 192.168.1.1 (192.168.1.1) 5.915 ms 5.917 ms 5.902 ms
then out to the internet
// Fredrik
If you're using a dedicated proxyvm, then putting the rules in INPUT
won't help. Contrary to the first iptables comment, you are a router in
that case.
You could try the Qubes vpn doc[1], and configure your vpn client to
route everything over the tunnel as a gateway (typical configuration).
Then add a firewall proxyvm that has a rule to block everything that
isn't DNS or destined for your LAN subnet--connect your LAN-using vms to
this. OR you can just use your regular sys-firewall and specify that
blockage in the firewall settings tab for your appvm(s). These methods
take advantage of modular networking in Qubes.
Alternately, you can use the Qubes vpn doc and add an internal rule to
FORWARD *ahead* of the eth0 (clearnet-blocking) lines to allow your LAN
subnet. However in this case your vpn client or connect script will have
to set the route for the LAN also (which may already be the case). The
vpn doc setup also re-routes all DNS over the vpn tunnel, so that is
something to keep in mind for this option.
Chris
1. https://www.qubes-os.org/doc/vpn/
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/70a85035-5a14-c3cc-8127-778c200ff7b9%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
