On Thu, Feb 14, 2019 at 03:05:20PM +0100, ashleybrown...@tutanota.com wrote: > > The magic is in NAT rules (but I had to research this too.) See > > https://www.qubes-os.org/doc/networking > > <https://www.qubes-os.org/doc/networking/>, and "sudo iptables -t nat -L" > > in sys-firewall and sys-net. > > I previously looked at IP tables and honestly I really do not understand it. > Can you please explain a little how it works? > > Here is what my nat look like in sys-firewall: > > Chain PR-QBS (1 references) > target prot opt source destination > DNAT udp -- anywhere 10.139.1.1 udp dpt:domain > to:10.139.1.1 > DNAT tcp -- anywhere 10.139.1.1 tcp dpt:domain > to:10.139.1.1 > DNAT udp -- anywhere 10.139.1.2 udp dpt:domain > to:10.139.1.2 > DNAT tcp -- anywhere 10.139.1.2 tcp dpt:domain > to:10.139.1.2 > > So, when I do ping google.com it needs to do a DNS request. Because my AppVm > /etc/resolv.conf is set to 10.139.1.1 it creates a DNS request to send to > 10.139.1.1. However, no VM on the network actually has this address. > > Is that packet modified? I am assuming what happens is the packet is > forwarded to whoever the internet provider is (in this case sys-firewall). > Sys-firewall then forwards it to sys-net. Sys-net then forwards it to the DNS > server. > > I am assuming the IP-Header of each hop is rewritten. So, for example, > sys-net will rewrite the IP header to be the external IP address for the > computer and thus it will receive a response to that IP. Assuming this is > correct how does the original AppVM get the correct response? I assume > multiple AppVMs are all forwarding these UDP dns requests through > sys-firewall and then sys-net. And then when sys-net gets a response how does > it know to send which response to which specific AppVM? >
Yes, you are spot on. The packet is sent upstream (routing table on sys-firewall) and hits sys-net. On sys-net, you'll see in the nat table (I'm assuming iptables on Debian) rules that rewrite udp/tcp to 10.139.1.1 to use the DNS resolver provided by the external network. DNAT udp -- * * 0.0.0.0/0 10.139.1.1 udp dpt:domain to:X.X.X.X These are stateful firewalls that keep track of the packets passing through them. Sys-net returns the DNS result to sys-firewall and it's there that the response is matched to the request and sent back to the originating qube. hth unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190214155143.6kq4cibl6dp4uhbp%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
