customise iptables behaviour on startup
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Arkose - Desktop Application Sandboxing |
New
|
Undecided
|
Unassigned | ||
Bug Description
Blueprints don't seem to be setup so adding here hope that's ok.
It would be nice if iptables could be customised on startup for filtered networking. Either by command line probably specifying an external file or by a profile picked up automatically or specified via command line (or some other combination). In addition to supporting a more specific setup for each sandbox I'd like to prevent the sandbox from acessing my LAN. It looks like any iptables configuration support will need some replacement variables to indicate the host or whatever so the rules can be applied as templates. Also it appears dns resolution (presumably as would normally be provided by local dnsmasq) was not working properly for some reason not sure if that is resolvable with a firewall rule or not.
For example some rule like the following...
sudo iptables -R POSTROUTING 2 -t nat -j MASQUERADE -s 169.254.1.1 ! -d 192.168.n.n/24
where 169.254.1.1 is the ip of the sandbox network adapter and 192.168.n.n is the LAN
There may need to be access to some local services such as DNS hence one reason why it would be nice to customise the tables.
| daemon dog (nodenet-1) wrote | #1 |
The iptables command should probably also have specified something like --out-interface eth0 or whatever the correct adapter would be.