Skip to content

Instantly share code, notes, and snippets.

@nsoui

nsoui/qubes-firewall.md

Last active November 21, 2017 19:17
Show Gist options
  • Save nsoui/0e327e9a3a3b16ea45eb294df63bb068 to your computer and use it in GitHub Desktop.
Save nsoui/0e327e9a3a3b16ea45eb294df63bb068 to your computer and use it in GitHub Desktop.
Download ZIP
Basic operations on Qubes Firewall config
Raw
qubes-firewall.md

Modify the System Firewall to log more

[user@sys-firewall ~]$ sudo iptables -L -n -v --line
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       udp  --  vif+   *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
2        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
5      340 65960 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    27101   13M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  vif0.0 *       0.0.0.0/0            0.0.0.0/0           
3        3   156 DROP       all  --  vif+   vif+    0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     udp  --  *      *       10.137.2.10          10.137.1.1           udp dpt:53
5        0     0 ACCEPT     udp  --  *      *       10.137.2.10          10.137.1.254         udp dpt:53
6        0     0 ACCEPT     tcp  --  *      *       10.137.2.10          10.137.1.1           tcp dpt:53
7        0     0 ACCEPT     tcp  --  *      *       10.137.2.10          10.137.1.254         tcp dpt:53
8        0     0 ACCEPT     icmp --  *      *       10.137.2.10          0.0.0.0/0           
9        0     0 DROP       tcp  --  *      *       10.137.2.10          10.137.255.254       tcp dpt:8082
10       4   208 ACCEPT     all  --  *      *       10.137.2.10          0.0.0.0/0           
11     881 57170 ACCEPT     udp  --  *      *       10.137.2.13          10.137.1.1           udp dpt:53
12       8   484 ACCEPT     udp  --  *      *       10.137.2.13          10.137.1.254         udp dpt:53
13       0     0 ACCEPT     tcp  --  *      *       10.137.2.13          10.137.1.1           tcp dpt:53
14       0     0 ACCEPT     tcp  --  *      *       10.137.2.13          10.137.1.254         tcp dpt:53
15       0     0 ACCEPT     icmp --  *      *       10.137.2.13          0.0.0.0/0           
16       0     0 DROP       tcp  --  *      *       10.137.2.13          10.137.255.254       tcp dpt:8082
17     518 26144 ACCEPT     all  --  *      *       10.137.2.13          0.0.0.0/0           
18       0     0 ACCEPT     udp  --  *      *       10.137.2.12          10.137.1.1           udp dpt:53
19       0     0 ACCEPT     udp  --  *      *       10.137.2.12          10.137.1.254         udp dpt:53
20       0     0 ACCEPT     tcp  --  *      *       10.137.2.12          10.137.1.1           tcp dpt:53
21       0     0 ACCEPT     tcp  --  *      *       10.137.2.12          10.137.1.254         tcp dpt:53
22       0     0 ACCEPT     icmp --  *      *       10.137.2.12          0.0.0.0/0           
23       0     0 DROP       tcp  --  *      *       10.137.2.12          10.137.255.254       tcp dpt:8082
24       0     0 ACCEPT     all  --  *      *       10.137.2.12          0.0.0.0/0           
25       1    52 ACCEPT     tcp  --  *      *       10.137.2.3           10.137.255.254       tcp dpt:8082
26       0     0 REJECT     all  --  *      *       10.137.2.3           0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

As we can see, the rule number 3 in the FORWARD chain will drop all traffic between two vif interfaces.

3        3   156 DROP       all  --  vif+   vif+    0.0.0.0/0            0.0.0.0/0

To be able to debug what happens there, we need to overwrite the rule.

Add a LOGDROP logging/dropping chain

First, let's introduce a new chain, which will log whatever comes to it and then drop it

sudo iptables -N LOGDROP
sudo iptables -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A LOGDROP -j DROP

Redirect droppped packets to the LOGDROP Chain

Afterwards, we need to replace the rule number three to forward the traffic to our new chain instead of dropping it straight

sudo iptables -R FORWARD 3 -i vif+ -o vif+ -j LOGDROP

Check the logging

Try accessing any unallowed service from one AppVM to another AppVM, like ssh 10.137.2.xx and the switch to the sys-firewall VM, and run sudo journalctl -kf in order to look at the kernel log (that is where the iptables log goes to)

ov 21 14:10:59 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48308 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov 21 14:11:00 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48309 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov 21 14:11:02 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48310 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov 21 14:11:06 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48311 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov 21 14:11:14 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48312 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0 
Nov 21 14:11:31 sys-firewall kernel: IPTables-Dropped: IN=vif7.0 OUT=vif3.0 MAC=fe:ff:ff:ff:ff:ff:00:16:3e:5e:6c:0b:08:00 SRC=10.137.2.13 DST=10.137.2.10 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48313 DF PROTO=TCP SPT=36404 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0

SSH between two AppVMs

Enable incoming SSH traffic in one VM

sudo iptables -R INPUT 1 -p tcp -s 10.137.2.13 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Sys-Firewall: Allow SSH traffic from one specific VM to one specific VM

add the following to the file /rw/config/qubes-firewall-user-script

sudo iptables -I FORWARD 2 -s 10.137.2.13 -p tcp --dport 22 -d 10.137.2.12 -j ACCEPT

Also, we need to make the file executable

sudo chmod a+x /rw/config/qubes-firewall-user-script
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment