On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > Hello! > > > > I am trying to set up a proxy vm that will redirect DNS requests to a local > > DNS server, for the purposes of adblocking. > > > > Here is the setup: > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox > > > > I have created a proxyvm based on a debian-8 template, and have installed > > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a > > DNS server (dnsmasq) and rejecting any dns queries to domains that serve > > ads. > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and > > open firefox (in the proxyvm), I can verify that the adblocker is working > > correctly. > > > > The issue I am having is when I used the proxyvm as the netvm for another > > appvm. Without any other changes, my appvm's firefox has internet access, > > but the adblocker has no effect. Of course, some additional setup is > > needed, but I'm not exactly sure how to do that. > > > > I'm not very good with iptables, and every attempt I have made to redirect > > DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and > > the appvm to lose the ability to browse). Here are the commands I ran (in > > the proxyvm): > > > > #!/bin/bash > > DNS=127.0.0.1 > > NS1=10.137.4.1 > > NS2=10.137.4.254 > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > --- > > > > I pieced this together from what I could find from the VPN documentation on > > the qubes website as well as the contents of > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. > > > > So! My question is, am I going about this correctly? I think I need to > > modify the iptables in the proxyvm to redirect any incoming (from the > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > think I need to ensure that there are rules that allow all other traffic to > > pass through unhindered. > > > > Or is there a different, qubes-specific way of handling DNS that I should > > be using? After inspecting the sys-firewall ipconfig and iptables, it is > > clear that something behind-the-scenes is happening where an additional NIC > > is created for each attached appvm, and the iptables are being populated > > automatically somehow. I'm not sure how the proxyvm is supposed to get the > > addresses of the appvm and sys-firewall (my script above had addresses > > hardcoded). > > > > Thank you for any help! If I get all this working, I'm planning on making a > > Salt file that can create the adblocking proxyvm. > > > > I don't see any reason why this shouldn't work. > I wouldn't be so specific in the nat rules but that's your call. Just > protocol and post would suffice. > > One obvious point is that you are ADDING those rules to the end of the > PR-QBS chain without flushing it first. If you already have redirect > rules there they will trigger first. > What does your nat table look like after you run that script? > > Another point may be that you don't have an incoming rule in the INPUT > chain allowing inbound traffic to the DNS ports. Unless you've changed > this the default rule will block inbound traffic from any vif interface. > So you need to ensure you are allowing that traffic with an: > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW > > Finally, you need to consider the effects of the qubes-firewall and > qubes-netwatcher services. > If you want to retain these you can use > /rw/config/qubes-firewall-user-script to override the automatic Qubes > configuration and insert your own iptables rules. > You can also use rc.local to set initial iptables rules. > Remember to make those files executable if you want to use them. > > Most of this is in the docs, although not easy to find. > > Hope this helps > > unman
Thank you for your help, I have more information about my configuration below. I am confident that I have an iptables issue, but I can't seem to figure out which rules need to be added. ifconfig: eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:6c:01 inet addr:10.137.2.3 Bcast:10.255.255.255 Mask:255.255.255.255 inet6 addr: fe80::216:3eff:fe5e:6c01/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6830 errors:0 dropped:0 overruns:0 frame:0 TX packets:6436 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4972238 (4.7 MiB) TX bytes:1381735 (1.3 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:241350 errors:0 dropped:0 overruns:0 frame:0 TX packets:241350 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:17164926 (16.3 MiB) TX bytes:17164926 (16.3 MiB) vif99.0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff inet addr:10.137.4.1 Bcast:0.0.0.0 Mask:255.255.255.255 inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:27475 errors:0 dropped:0 overruns:0 frame:0 TX packets:4201 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:32 RX bytes:1838038 (1.7 MiB) TX bytes:3767962 (3.5 MiB) Here is my script with the modifications you suggested: #!/bin/bash DNS=127.0.0.1 NS1=10.137.4.1 NS2=10.137.4.254 iptables -t nat -F PR-QBS iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS iptables -I INPUT -i vif+ -p udp --dport 53 -j ACCEPT iptables -I INPUT -i vif+ -p tcp --dport 53 -j ACCEPT # Show the table iptables -t nat -L -v -n # Is this needed? # echo 1 > /proc/sys/net/ipv4/ip_forward --- Here are the results of iptables -L -v -n after running the script: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 94520 8805K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 52952 2754K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 37 4454 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4884 3798K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- vif0.0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0 80 5672 ACCEPT udp -- * * 10.137.4.11 10.137.2.1 udp dpt:53 0 0 ACCEPT udp -- * * 10.137.4.11 10.137.2.254 udp dpt:53 0 0 ACCEPT tcp -- * * 10.137.4.11 10.137.2.1 tcp dpt:53 0 0 ACCEPT tcp -- * * 10.137.4.11 10.137.2.254 tcp dpt:53 0 0 ACCEPT icmp -- * * 10.137.4.11 0.0.0.0/0 0 0 DROP tcp -- * * 10.137.4.11 10.137.255.254 tcp dpt:8082 39 2556 ACCEPT all -- * * 10.137.4.11 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1613 packets, 120K bytes) pkts bytes target prot opt in out source destination --- And finally, here is netstat -pan | grep 53 to show the DNS server running: tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 681/dnsmasq tcp6 0 0 :::53 :::* LISTEN 681/dnsmasq udp 0 0 0.0.0.0:5353 0.0.0.0:* 628/avahi-daemon: r udp 0 0 0.0.0.0:53 0.0.0.0:* 681/dnsmasq udp6 0 0 :::5353 :::* 628/avahi-daemon: r udp6 0 0 :::53 :::* 681/dnsmasq unix 2 [ ACC ] STREAM LISTENING 15533 1274/qrexec-fork-se /var/run/qubes/qrexec-server.user.sock unix 3 [ ] STREAM CONNECTED 11905 653/meminfo-writer unix 3 [ ] STREAM CONNECTED 14533 1233/nm-applet unix 3 [ ] STREAM CONNECTED 14534 883/Xorg @/tmp/.X11-unix/X0 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/889472df-468b-47e5-bbb2-03b0ed671a99%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.