#!/bin/sh

########################################################################
##
##  tunnel-restrict-firewall
##  Configure Qubes firewall for use with a tunnel such as OpenVPN.
##
##  Note: For customization, add rules to a filename in firewall.d
##  other than '90_tunnel-restrict'.


correct_ips() {
    # Correct the 10.137.x.x nameserver IPs in FORWARD chain (Qubes 3.x)
    . /var/run/qubes/qubes-ns
    nspath=/var/run/qubes/qubes-tunnel-ns
    if [ -f $nspath ]; then
        iptables-save -t filter >/tmp/qtunnel-fw-filter
        read vpn_dns <$nspath ; nsend=1
        q_addr=""
        for DNS in $vpn_dns; do
            sed -i -r 's/(-A FORWARD.+-d )10\.137\.[0-9]+\.'$nsend'(.+dport 53 -j ACCEPT)$/\1'$DNS'\2/' \
                /tmp/qtunnel-fw-filter
            nsend=254
            # workaround for Qubes 3.x:
            iptables -t nat -I PR-QBS $q_addr -i vif+ -p tcp --dport 53 -j DNAT --to $DNS
            iptables -t nat -I PR-QBS $q_addr -i vif+ -p udp --dport 53 -j DNAT --to $DNS
            q_addr="-d $NS1"
        done
        iptables-restore -T filter </tmp/qtunnel-fw-filter
    fi
}

# Set firewall restriction policy

# Stop all leaks between downstream (vif+) and upstream (Internet eth0):
iptables -P FORWARD DROP
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP

ip6tables -P FORWARD DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP

# Block INPUT from tunnel(s):
iptables -P INPUT DROP
iptables -I INPUT -i tun+ -j DROP

ip6tables -P INPUT DROP
ip6tables -I INPUT -i tun+ -j DROP

# Allow established v6 traffic (v4 rule already present):
#iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Fix DNS IPs if QBS-FORWARD not present (Qubes ver < 4)
iptables -L QBS-FORWARD || correct_ips

# Disable icmp packets
#if iptables -C INPUT -p icmp -j ACCEPT
#then iptables -D INPUT -p icmp -j ACCEPT
#fi


###-------------------------------------------------------------------###
# This section executed only if a qubes-tunnel* service is active:
if ! ls /var/run/qubes-service/qubes-tunnel* 1> /dev/null 2>&1; then
    exit 0
fi

# Prevent accidental communications from within VPN VM to net;
# The gid-owner rule requires net programs be run with group ID 'qtunnel'
# to allow outbound traffic.
iptables -P OUTPUT DROP
iptables -I OUTPUT -o lo -j ACCEPT
iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qtunnel -j ACCEPT

ip6tables -P OUTPUT DROP
ip6tables -I OUTPUT -o lo -j ACCEPT
ip6tables -I OUTPUT -p all -o eth0 -m owner --gid-owner qtunnel -j ACCEPT

