rc.local iptables persistence on reboot

92 views
Skip to first unread message

nishi...@gmail.com

unread,
Sep 17, 2016, 8:14:15 PM9/17/16
to qubes-users
Hello,

Following Qubes documentation on firewall https://www.qubes-os.org/doc/qubes-firewall/, I tried to put some basics iptables rules into /rw/config/rc.local in an AppVM but they don't persist after reboots :

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

When I type "sudo iptables -L", they don't appear after rebooting the VM, I have the same rules as before, it looks like the script isn't launched :( This is weird because the file is executable ! ("sudo chmod +x rc.local"). Also I tried to add sudo before every line but it didn't change the outcome.

Any suggestions are welcome !
Regards

Connor Page

unread,
Sep 18, 2016, 2:36:53 PM9/18/16
to qubes-users
does it start with this?
#!/bin/sh

nishi...@gmail.com

unread,
Sep 19, 2016, 12:35:11 PM9/19/16
to qubes-users
Le dimanche 18 septembre 2016 20:36:53 UTC+2, Connor Page a écrit :
> does it start with this?
> #!/bin/sh

Yes

Connor Page

unread,
Sep 20, 2016, 8:36:45 AM9/20/16
to qubes-users
would you mind posting the whole script?

nishi...@gmail.com

unread,
Sep 20, 2016, 11:05:38 AM9/20/16
to qubes-users
Yes, my script is already posted here. I was implying sh shebang, as we're talking about a file that contains it before any changes done. But thanks for checking.

Connor Page

unread,
Sep 21, 2016, 6:36:20 PM9/21/16
to qubes-users
I once managed to add a line break before the shebang. Took me a bit of time to figure it out why vm services did not start.
I can't see what could fail in your script other than $PATH being incomplete or unset.

Drew White

unread,
Sep 21, 2016, 9:14:43 PM9/21/16
to qubes-users, nishi...@gmail.com
On Sunday, 18 September 2016 10:14:15 UTC+10, nishi...@gmail.com wrote:
> Hello,
>
> Following Qubes documentation on firewall https://www.qubes-os.org/doc/qubes-firewall/, I tried to put some basics iptables rules into /rw/config/rc.local in an AppVM but they don't persist after reboots :
>
> iptables -F

Don't use -F, flushing removes the Qubes inherant IPTables.
Don't -P either.

#/bin/sh
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT


> When I type "sudo iptables -L", they don't appear after rebooting the VM, I have the same rules as before, it looks like the script isn't launched :( This is weird because the file is executable ! ("sudo chmod +x rc.local"). Also I tried to add sudo before every line but it didn't change the outcome.
>

have you made sure it's executable? (ls -al)

If not, use the full command, not an abbreviated, because sometimes the abbreviated only affects user and group, not everyone.
"chmod 766 rc.local" ?

Connor Page

unread,
Sep 22, 2016, 7:46:45 AM9/22/16
to qubes-users
world writable script executed as root is the worst advice I've ever seen on this mailing list.
please don't do that!

raah...@gmail.com

unread,
Oct 11, 2016, 1:19:16 AM10/11/16
to qubes-users
On Thursday, September 22, 2016 at 7:46:45 AM UTC-4, Connor Page wrote:
> world writable script executed as root is the worst advice I've ever seen on this mailing list.
> please don't do that!

I don't even think that'd make it executable, but writeable lol. just do chmod a+x

why not filter outbound instead of inbound?

Unman

unread,
Oct 11, 2016, 6:16:31 AM10/11/16
to raah...@gmail.com, qubes-users
chmod 766 does make it executable, obviously - it also makes it world
writable.

I've seen plenty of worse advice on the lists.
The fact that it's now world writable is a red herring. Every file in a
qube is writeable by the user in default setup, regardless of
permissions. It doesn't matter.
Look at /etc/sudoers.d/qubes

Setting custom iptables rules from rc.local is possible - whether it
adds anything more than a minimal layer of safety is questionable. I
choose to set inbound and outbound restrictions on all net and proxy
qubes, and custom restrictions on FORWARD rules too.

unman

raah...@gmail.com

unread,
Oct 11, 2016, 3:20:49 PM10/11/16
to qubes-users, raah...@gmail.com, un...@thirdeyesecurity.org

oh ok I thought it would make it readable and writable, but not executable. But I didn't test it.

Ya well I mean unless he is a webserver I would be filtering outgoing for ports 80,443, not incoming. Figured it was just good practice.

Message has been deleted

pleo...@gmail.com

unread,
Oct 11, 2016, 6:28:35 PM10/11/16
to qubes-users, nishi...@gmail.com
https://www.qubes-os.org/doc/qubes-firewall/

everything is in this chapter "Enabling networking between two VMs".
dont need to run custom scripts for enabling networking between two vms.

In case u need yuor system safe from connecting apps each other you can allow traffic on single port and connect them via ssh tunnel.Lets say allow trafic A<>B on port 22,then conect its via ssh
ssh -L port:ip:port user@ip and then point browser in client VM to localhost.SSH tunnel redirect you to your webserver on B VM.

Manuel Amador (Rudd-O)

unread,
Oct 11, 2016, 6:53:40 PM10/11/16
to qubes...@googlegroups.com
On 09/18/2016 12:14 AM, nishi...@gmail.com wrote:
> iptables -F
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>

Looks to me like you would be a happy user of

https://github.com/Rudd-O/qubes-network-server

With it, set a static IP on your VM as per the instructions, and that's
it. Your VM should be accessible at that IP by other VMs on your
system. No need to futz with config files or scripts.

--
Rudd-O
http://rudd-o.com/

Reply all
Reply to author
Forward
0 new messages