Following Qubes documentation on firewall https://www.qubes-os.org/doc/qubes-firewall/, I tried to put some basics iptables rules into /rw/config/rc.local in an AppVM but they don't persist after reboots :
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
When I type "sudo iptables -L", they don't appear after rebooting the VM, I have the same rules as before, it looks like the script isn't launched :( This is weird because the file is executable ! ("sudo chmod +x rc.local"). Also I tried to add sudo before every line but it didn't change the outcome.
Any suggestions are welcome !
Regards
Don't use -F, flushing removes the Qubes inherant IPTables.
Don't -P either.
#/bin/sh
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -I INPUT 2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT 3 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT
> When I type "sudo iptables -L", they don't appear after rebooting the VM, I have the same rules as before, it looks like the script isn't launched :( This is weird because the file is executable ! ("sudo chmod +x rc.local"). Also I tried to add sudo before every line but it didn't change the outcome.
>
have you made sure it's executable? (ls -al)
If not, use the full command, not an abbreviated, because sometimes the abbreviated only affects user and group, not everyone.
"chmod 766 rc.local" ?
I don't even think that'd make it executable, but writeable lol. just do chmod a+x
why not filter outbound instead of inbound?
oh ok I thought it would make it readable and writable, but not executable. But I didn't test it.
Ya well I mean unless he is a webserver I would be filtering outgoing for ports 80,443, not incoming. Figured it was just good practice.
everything is in this chapter "Enabling networking between two VMs".
dont need to run custom scripts for enabling networking between two vms.
In case u need yuor system safe from connecting apps each other you can allow traffic on single port and connect them via ssh tunnel.Lets say allow trafic A<>B on port 22,then conect its via ssh
ssh -L port:ip:port user@ip and then point browser in client VM to localhost.SSH tunnel redirect you to your webserver on B VM.