On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote:
> On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote:
> > Hello!
> >
> > I am trying to set up a proxy vm that will redirect DNS requests to a local
> > DNS server, for the purposes of adblocking.
> >
> > Here is the setup:
> >
> > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox
> >
> > I have created a proxyvm based on a debian-8 template, and have installed
> > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a
> > DNS server (dnsmasq) and rejecting any dns queries to domains that serve
> > ads.
> >
> > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and
> > open firefox (in the proxyvm), I can verify that the adblocker is working
> > correctly.
> >
> > The issue I am having is when I used the proxyvm as the netvm for another
> > appvm. Without any other changes, my appvm's firefox has internet access,
> > but the adblocker has no effect. Of course, some additional setup is
> > needed, but I'm not exactly sure how to do that.
> >
> > I'm not very good with iptables, and every attempt I have made to redirect
> > DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and
> > the appvm to lose the ability to browse). Here are the commands I ran (in
> > the proxyvm):
> >
> > #!/bin/bash
> > DNS=127.0.0.1
> > NS1=10.137.4.1
> > NS2=10.137.4.254
> > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS
> > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS
> > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS
> > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS
> >
> > ---
> >
> > I pieced this together from what I could find from the VPN documentation on
> > the qubes website as well as the contents of
> > /usr/lib/qubes/qubes-setup-dnat-to-ns
> >
> > Running the qubes-setup-dnat-to-dns script by itself after changing
> > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact.
> >
> > So! My question is, am I going about this correctly? I think I need to
> > modify the iptables in the proxyvm to redirect any incoming (from the
> > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the
> > internet, from the proxyvm) DNS queries to get out. Along with this, I
> > think I need to ensure that there are rules that allow all other traffic to
> > pass through unhindered.
> >
> > Or is there a different, qubes-specific way of handling DNS that I should
> > be using? After inspecting the sys-firewall ipconfig and iptables, it is
> > clear that something behind-the-scenes is happening where an additional NIC
> > is created for each attached appvm, and the iptables are being populated
> > automatically somehow. I'm not sure how the proxyvm is supposed to get the
> > addresses of the appvm and sys-firewall (my script above had addresses
> > hardcoded).
> >
> > Thank you for any help! If I get all this working, I'm planning on making a
> > Salt file that can create the adblocking proxyvm.
> >
>
> I don't see any reason why this shouldn't work.
> I wouldn't be so specific in the nat rules but that's your call. Just
> protocol and post would suffice.
>
> One obvious point is that you are ADDING those rules to the end of the
> PR-QBS chain without flushing it first. If you already have redirect
> rules there they will trigger first.
> What does your nat table look like after you run that script?
>
> Another point may be that you don't have an incoming rule in the INPUT
> chain allowing inbound traffic to the DNS ports. Unless you've changed
> this the default rule will block inbound traffic from any vif interface.
> So you need to ensure you are allowing that traffic with an:
> iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW
>
> Finally, you need to consider the effects of the qubes-firewall and
> qubes-netwatcher services.
> If you want to retain these you can use
> /rw/config/qubes-firewall-user-script to override the automatic Qubes
> configuration and insert your own iptables rules.
> You can also use rc.local to set initial iptables rules.
> Remember to make those files executable if you want to use them.
>
> Most of this is in the docs, although not easy to find.
>
> Hope this helps
>
> unman
Thank you for your help, I have more information about my configuration below.
I am confident that I have an iptables issue, but I can't seem to figure out
which rules need to be added.
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:6c:01
inet addr:10.137.2.3 Bcast:10.255.255.255 Mask:255.255.255.255
inet6 addr: fe80::216:3eff:fe5e:6c01/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6830 errors:0 dropped:0 overruns:0 frame:0
TX packets:6436 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4972238 (4.7 MiB) TX bytes:1381735 (1.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:241350 errors:0 dropped:0 overruns:0 frame:0
TX packets:241350 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:17164926 (16.3 MiB) TX bytes:17164926 (16.3 MiB)
vif99.0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet addr:10.137.4.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27475 errors:0 dropped:0 overruns:0 frame:0
TX packets:4201 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:1838038 (1.7 MiB) TX bytes:3767962 (3.5 MiB)
Here is my script with the modifications you suggested:
#!/bin/bash
DNS=127.0.0.1
NS1=10.137.4.1
NS2=10.137.4.254
iptables -t nat -F PR-QBS
iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS
iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS
iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS
iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS
iptables -I INPUT -i vif+ -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i vif+ -p tcp --dport 53 -j ACCEPT
# Show the table
iptables -t nat -L -v -n
# Is this needed?
# echo 1 > /proc/sys/net/ipv4/ip_forward
---
Here are the results of iptables -L -v -n after running the script:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT udp -- vif+ * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0
udp dpt:68
94520 8805K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
52952 2754K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
37 4454 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4884 3798K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- vif0.0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
80 5672 ACCEPT udp -- * * 10.137.4.11 10.137.2.1
udp dpt:53
0 0 ACCEPT udp -- * * 10.137.4.11
10.137.2.254 udp dpt:53
0 0 ACCEPT tcp -- * * 10.137.4.11 10.137.2.1
tcp dpt:53
0 0 ACCEPT tcp -- * * 10.137.4.11
10.137.2.254 tcp dpt:53
0 0 ACCEPT icmp -- * * 10.137.4.11 0.0.0.0/0
0 0 DROP tcp -- * * 10.137.4.11
10.137.255.254 tcp dpt:8082
39 2556 ACCEPT all -- * * 10.137.4.11 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1613 packets, 120K bytes)
pkts bytes target prot opt in out source destination
---
And finally, here is netstat -pan | grep 53 to show the DNS server running:
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
681/dnsmasq
tcp6 0 0 :::53 :::* LISTEN
681/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:*
628/avahi-daemon: r
udp 0 0 0.0.0.0:53 0.0.0.0:*
681/dnsmasq
udp6 0 0 :::5353 :::*
628/avahi-daemon: r
udp6 0 0 :::53 :::*
681/dnsmasq
unix 2 [ ACC ] STREAM LISTENING 15533 1274/qrexec-fork-se
/var/run/qubes/qrexec-server.user.sock
unix 3 [ ] STREAM CONNECTED 11905 653/meminfo-writer
unix 3 [ ] STREAM CONNECTED 14533 1233/nm-applet
unix 3 [ ] STREAM CONNECTED 14534 883/Xorg
@/tmp/.X11-unix/X0
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/889472df-468b-47e5-bbb2-03b0ed671a99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
