On 11/23/19 9:33 AM, swisspal...@firemail.cc wrote:
Hello,
I want to achieve the following:
sys-net should only be accessible by sys-firewall and sys-firewall
should only be accessible by sys-whonix.
No AppVM should be able to connect to the internet if I set sys-net or
sys-firewall as NetVM. Internet access should only be possible via
sys-whonix.
What I tried so far is:
I flushed the INPUT chain on sys-net and applied these 2 commands
sudo iptables -I INPUT -i vif5.0 -s 10.137.0.6 -j ACCEPT
(10.137.0.6) is the IP of sys-firewall
sudo iptables -I INPUT -i vif5.0 -j DROP
This configuration already kind of works. If I create a new AppVM and
connect it to sys-net then I can not even ping sys-net anymore.
But then I noticed that another vif interface on sys-net came up as soon
as I connected the new AppVM. This is confusing me as I'm afraid that
that could lead to potential leaks in the future.
I am unsure how I should proceed with the configuration of this setup. I
don't know much about networking and especially because it is on Qubes
it's a bit more difficult to be sure of how things work.
I presume that I probably should make a specific NAT rule but I really
have no clue.
What I also don't understand is:
- Are the IPs that are assigned to the VMs static or do they change over
time? If they change, can I make them static?
IIRC they're dynamic.
- Will the flushing of a chain in a fresh VM interfere with the
functionality of the VM? I saw QBS-Forwarding rules and so on. I guess
it's not a good idea to delete those.
QBS-Forwarding will stomp over what you try to add there. Its managed by
Qubes. However, it exists in order to allow FORWARD to be user-managed.
One way to do it might be to allow only one downstream vif in
sys-firewall: Add a general eth0 block on top of the FORWARD chain.
Then, have a script that waits for the first vif to appear; when it
does, add FORWARD rule to allow it, then exit the script.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/767b2063-be96-3883-d9db-912690f059fc%40posteo.net.
