Commented qubes-whonix iptables rules

nrgaway · Jun 6, 2015 · 01a71c5 · 01a71c5
1 parent 57ad011
commit 01a71c5
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/usr/lib/qubes-whonix/init/whonix-firewall-plugin.sh b/usr/lib/qubes-whonix/init/whonix-firewall-plugin.sh
@@ -33,11 +33,21 @@ if [ -e /var/run/qubes-service/whonix-gateway ]; then
     export INT_IF="vif+"
     export INT_TIF="vif+"
 
-    iptables --wait -t nat -N PR-QBS-SERVICES
+    # Allow connections from port 8082 of internal vif interface for tinyproxy
+    # tinyproxy is responsible to handle TemplateVMs updates
     iptables --wait -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT
     iptables --wait -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT
+
+    # Qubes pre-routing. Will be able to intercept traffic destined for
+    # 10.137.255.254 to be re-routed to tinyproxy
+    iptables --wait -t nat -N PR-QBS-SERVICES
     iptables --wait -t nat -A PREROUTING -j PR-QBS-SERVICES
+
+    # Redirects traffic destined for 10.137.255.154 to port 8082 (tinyproxy)
     iptables --wait -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
+
+    # Forward tinyproxy output to port 53/9040 on internal (Tor) interface (eth1) to be
+    # able to connect to Internet (via Tor) to proxy updates for TemplateVM
     iptables --wait -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53
     iptables --wait -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040
 fi