Hello, On 15 May 2018 at 09:24, Eivind K. Dovik <he...@eivinddovik.com> wrote:
> On Mon, 14 May 2018, john wrote: > > On 05/14/18 14:58, Ángel wrote: >> >>> [...] >>> >> >> can you give an example to the steps to make such a fw rule, if it's >> that simple please ? >> >> > Through Qubes VM Manager, I've added the following firewall rule: > > - Deny network access except ... > - IP address of my email server > This works fine. I prefer adding my rules to my AppVM. This is how do it: 1st you can check the connections which are request by running this command in your Email AppVM. watch -n 1 'sudo netstat -tap' It will show you if your email app connects to a server But as most mail providers use more than one IP for load balancing you need to add more IPs (see my posting a few hours ago in this thread how do find the IPs your mail provider is using). This are the rules I am currently applying to my Email AppVM. You can put them into a script which loads on AppVM startup or copy & paste them into a terminal. You need use sudo for the commands or switch to root via sudo -i (if you have sudo installed). If you don't have sudo you can request a root terminal via qvm-run --auto --user root <APPVMNAME> gnome-terminal - - - - 8< - - - - snip - - - - 8< - - - - #show default policy iptables -L -v | grep policy # delete all rules iptables -t filter -F # change default policy to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # allow DNS to gateway 10.137.1.1 (this is the sys-firewall) iptables -A OUTPUT -p udp -d 10.139.1.1 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 10.139.1.1 --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -d 10.139.1.1 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 10.139.1.1 --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow outgoing ping/echo (only for troubleshooting / can be removed afterwards) iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT ### allow IMAP (valid for germany, use other IPs you're from somewhere else) # Gmail IMAP iptables -A OUTPUT -p tcp -d 108.177.96.0/19 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 108.177.96.0/19 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 74.125.0.0/16 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 74.125.0.0/16 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 64.233.160.0/19 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 64.233.160.0/19 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 108.177.8.0/21 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 108.177.8.0/21 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 173.194.0.0/16 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 173.194.0.0/16 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 66.102.0.0/20 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 66.102.0.0/20 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Outlook IMAP iptables -A OUTPUT -p tcp -d 40.96.0.0/13 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 40.96.0.0/13 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ### allow SMTP #Gmail SMTP iptables -A OUTPUT -p tcp -d 74.125.0.0/16 --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 74.125.0.0/16 --sport 587 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 108.177.8.0/21 --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 108.177.8.0/21 --sport 587 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 108.177.96.0/19 --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 108.177.96.0/19 --sport 587 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #Outlook SMTP iptables -A OUTPUT -p tcp -d 40.96.0.0/13 --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 40.96.0.0/13 --sport 587 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # allow everything for localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT - - - - 8< - - - - [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sa%2Byu%2BPxXzgc2yqYXCoaaKMMiURqZdBrL77gu%3DzruGzw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
