On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > Hello! > > I am trying to set up a proxy vm that will redirect DNS requests to a local > DNS server, for the purposes of adblocking. > > Here is the setup: > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox > > I have created a proxyvm based on a debian-8 template, and have installed > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a DNS > server (dnsmasq) and rejecting any dns queries to domains that serve ads. > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and > open firefox (in the proxyvm), I can verify that the adblocker is working > correctly. > > The issue I am having is when I used the proxyvm as the netvm for another > appvm. Without any other changes, my appvm's firefox has internet access, but > the adblocker has no effect. Of course, some additional setup is needed, but > I'm not exactly sure how to do that. > > I'm not very good with iptables, and every attempt I have made to redirect > DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and > the appvm to lose the ability to browse). Here are the commands I ran (in the > proxyvm): > > #!/bin/bash > DNS=127.0.0.1 > NS1=10.137.4.1 > NS2=10.137.4.254 > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > --- > > I pieced this together from what I could find from the VPN documentation on > the qubes website as well as the contents of > /usr/lib/qubes/qubes-setup-dnat-to-ns > > Running the qubes-setup-dnat-to-dns script by itself after changing > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. > > So! My question is, am I going about this correctly? I think I need to modify > the iptables in the proxyvm to redirect any incoming (from the appvm) DNS > queries to 127.0.0.1, while still allowing outgoing (to the internet, from > the proxyvm) DNS queries to get out. Along with this, I think I need to > ensure that there are rules that allow all other traffic to pass through > unhindered. > > Or is there a different, qubes-specific way of handling DNS that I should be > using? After inspecting the sys-firewall ipconfig and iptables, it is clear > that something behind-the-scenes is happening where an additional NIC is > created for each attached appvm, and the iptables are being populated > automatically somehow. I'm not sure how the proxyvm is supposed to get the > addresses of the appvm and sys-firewall (my script above had addresses > hardcoded). > > Thank you for any help! If I get all this working, I'm planning on making a > Salt file that can create the adblocking proxyvm. >
I don't see any reason why this shouldn't work. I wouldn't be so specific in the nat rules but that's your call. Just protocol and post would suffice. One obvious point is that you are ADDING those rules to the end of the PR-QBS chain without flushing it first. If you already have redirect rules there they will trigger first. What does your nat table look like after you run that script? Another point may be that you don't have an incoming rule in the INPUT chain allowing inbound traffic to the DNS ports. Unless you've changed this the default rule will block inbound traffic from any vif interface. So you need to ensure you are allowing that traffic with an: iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW Finally, you need to consider the effects of the qubes-firewall and qubes-netwatcher services. If you want to retain these you can use /rw/config/qubes-firewall-user-script to override the automatic Qubes configuration and insert your own iptables rules. You can also use rc.local to set initial iptables rules. Remember to make those files executable if you want to use them. Most of this is in the docs, although not easy to find. Hope this helps unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170209152124.GA1291%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
