From 3ede5a41329ccf08de1788eb41b7005e4dc5d6cd Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sat, 21 May 2016 23:57:11 +0200
Subject: [PATCH] work on Qubes ProxyVM support

https://github.com/adrelanos/vpn-firewall/issues/14
---
 etc/vpn-firewall.d/30_default.conf            |  5 +++++
 .../20_vpn-firewall.conf                      |  3 +++
 .../plugins.d/30_vpn-firewall                 | 19 ++++++++++++++++++-
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/etc/vpn-firewall.d/30_default.conf b/etc/vpn-firewall.d/30_default.conf
index 3021ab7..da87b1f 100644
--- a/etc/vpn-firewall.d/30_default.conf
+++ b/etc/vpn-firewall.d/30_default.conf
@@ -17,3 +17,8 @@ VPN_INTERFACE=tun0
 LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8"
 ## TODO: Should add?
 #LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8 10.152.152.0/24 10.0.2.2/24"
+
+#INT_IF=eth1
+
+## If you want to forward traffic for machines connected to INT_IF.
+#FORWARDING=true
diff --git a/lib/systemd/system/netfilter-persistent.service.d/20_vpn-firewall.conf b/lib/systemd/system/netfilter-persistent.service.d/20_vpn-firewall.conf
index b061649..5b4962e 100644
--- a/lib/systemd/system/netfilter-persistent.service.d/20_vpn-firewall.conf
+++ b/lib/systemd/system/netfilter-persistent.service.d/20_vpn-firewall.conf
@@ -8,3 +8,6 @@
 
 [Unit]
 After=qubes-sysinit.service
+
+## For /rw.
+After=qubes-mount-dirs.service
diff --git a/usr/share/netfilter-persistent/plugins.d/30_vpn-firewall b/usr/share/netfilter-persistent/plugins.d/30_vpn-firewall
index 368907e..59250dd 100755
--- a/usr/share/netfilter-persistent/plugins.d/30_vpn-firewall
+++ b/usr/share/netfilter-persistent/plugins.d/30_vpn-firewall
@@ -42,9 +42,16 @@ source_config_folder() {
 defaults() {
    [ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
    [ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"
-   [ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
+   [ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun+"
    [ -n "$LOCAL_NET" ] || LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8"
    [ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel)"
+   ## Internal interface
+   if [ -d "/usr/lib/qubes" ]; then
+      [ -n "$INT_IF" ] || INT_IF="vif+"
+   else
+      [ -n "$INT_IF" ] || INT_IF="eth1"
+   fi
+   [ -n "$FORWARDING" ] || FORWARDING=false
 }
 
 root_check() {
@@ -116,6 +123,10 @@ start() {
    ## Allow all incoming connections on the virtual VPN network interface.
    $iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT
 
+   if [ "$FORWARDING" = "true" ]; then
+      $iptables_cmd -t nat -A POSTROUTING -j MASQUERADE
+   fi
+
    ## Log.
    $iptables_cmd -A INPUT -j LOG --log-prefix "VPN firewall blocked input4: "
 
@@ -127,6 +138,11 @@ start() {
    ## IPv4 FORWARD
    ###########################
 
+   if [ "$FORWARDING" = "true" ]; then
+      $iptables_cmd -A FORWARD -o "$VPN_INTERFACE" -j ACCEPT
+      $iptables_cmd -A FORWARD -o "$INT_IF" -j ACCEPT
+   fi
+
    ## Log.
    $iptables_cmd -A FORWARD -j LOG --log-prefix "VPN firewall blocked forward4: "
 
@@ -195,6 +211,7 @@ start() {
 
    echo "OK: The firewall should not show any messages,"
    echo "OK: besides output beginning with prefix OK:..."
+   echo "OK: FORWARDING: $FORWARDING"
    echo "OK: VPN firewall loaded."
 }