[user@sys-firewall ~]$ sudo iptables -L -n -v --line
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 340 65960 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 27101 13M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- vif0.0 * 0.0.0.0/0 0.0.0.0/0
3 3 156 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT udp -- * * 10.137.2.10 10.137.1.1 udp dpt:53
5 0 0 ACCEPT udp -- * * 10.137.2.10 10.137.1.254 udp dpt:53
6 0 0 ACCEPT tcp -- * * 10.137.2.10 10.137.1.1 tcp dpt:53
7 0 0 ACCEPT tcp -- * * 10.137.2.10 10.137.1.254 tcp dpt:53
8 0 0 ACCEPT icmp -- * * 10.137.2.10 0.0.0.0/0
9 0 0 DROP tcp -- * * 10.137.2.10 10.137.255.254 tcp dpt:8082
10 4 208 ACCEPT all -- * * 10.137.2.10 0.0.0.0/0
11 881 57170 ACCEPT udp -- * * 10.137.2.13 10.137.1.1 udp dpt:53
12 8 484 ACCEPT udp -- * * 10.137.2.13 10.137.1.254 udp dpt:53
13 0 0 ACCEPT tcp -- * * 10.137.2.13 10.137.1.1 tcp dpt:53
14 0 0 ACCEPT tcp -- * * 10.137.2.13 10.137.1.254 tcp dpt:53
15 0 0 ACCEPT icmp -- * * 10.137.2.13 0.0.0.0/0
16 0 0 DROP tcp -- * * 10.137.2.13 10.137.255.254 tcp dpt:8082
17 518 26144 ACCEPT all -- * * 10.137.2.13 0.0.0.0/0
18 0 0 ACCEPT udp -- * * 10.137.2.12 10.137.1.1 udp dpt:53
19 0 0 ACCEPT udp -- * * 10.137.2.12 10.137.1.254 udp dpt:53
20 0 0 ACCEPT tcp -- * * 10.137.2.12 10.137.1.1 tcp dpt:53
21 0 0 ACCEPT tcp -- * * 10.137.2.12 10.137.1.254 tcp dpt:53
22 0 0 ACCEPT icmp -- * * 10.137.2.12 0.0.0.0/0
23 0 0 DROP tcp -- * * 10.137.2.12 10.137.255.254 tcp dpt:8082
24 0 0 ACCEPT all -- * * 10.137.2.12 0.0.0.0/0
25 1 52 ACCEPT tcp -- * * 10.137.2.3 10.137.255.254 tcp dpt:8082
26 0 0 REJECT all -- * * 10.137.2.3 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
As we can see, the rule number 3 in the FORWARD chain will drop all traffic between two vif interfaces.
3 3 156 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
To be able to debug what happens there, we need to overwrite the rule.
First, let's introduce a new chain, which will log whatever comes to it and then drop it
sudo iptables -N LOGDROP
sudo iptables -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A LOGDROP -j DROP
Afterwards, we need to replace the rule number three to forward the traffic to our new chain instead of dropping it straight
sudo iptables -R FORWARD 3 -i vif+ -o vif+ -j LOGDROP
Try accessing any unallowed service from one AppVM to another AppVM, like ssh 10.137.2.xx
and the switch to the sys-firewall
VM, and run sudo journalctl -kf
in order to look at the kernel log (that is where the iptables log goes to)
ov 21 14:10:59 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48308 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 21 14:11:00 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48309 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 21 14:11:02 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48310 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 21 14:11:06 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48311 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 21 14:11:14 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48312 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 21 14:11:31 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48313 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
sudo iptables -R INPUT 1 -p tcp -s 10.137.2.13 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
add the following to the file /rw/config/qubes-firewall-user-script
sudo iptables -I FORWARD 2 -s 10.137.2.13 -p tcp --dport 22 -d 10.137.2.12 -j ACCEPT
Also, we need to make the file executable
sudo chmod a+x /rw/config/qubes-firewall-user-script