Re: [qubes-users] Ad-blocking ProxyVM?
On Monday, February 13, 2017 at 9:35:52 PM UTC-5, Joe Ruether wrote: > Ok, I need to simplify this. I need help, I don't know what I am missing. Is > anyone able to recreate the following netcat test? > > I cannot seem to get the DNAT portion of the iptables to work at all. Here is > a very simple test: > > On the proxyvm, I use the following rules to redirect port 5353 to localhost, > and allow the connection: > > iptables -t nat -I PR-QBS 1 -d 10.137.4.1 -p tcp --dport 5353 -j DNAT > --to-destination 127.0.0.1 > iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT > > Then, on the proxyvm, I run the following command to listen on that port (no > other service is running on that port): > > nc -l -p 5353 > > Finally, on the AppVM, I run the following command: > > nc 10.137.4.1 5353 > > My expectation is that the two netcats will connect, however they don't. What > do I need to do to get my AppVM to talk to my ProxyVM? Thanks Well, I feel like a fool, I finally figured it out. I realized the DNAT rules aren't necessary at all, so all I needed was this: iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT Of course I overcomplicated such a simple problem... I learned a bunch about iptables though. I also have the PiHole adblocker working now. In case anyone stumbles onto this thread trying to do the same thing, the final trick was to add the Qubes vif interfaces to a dnsmasq config file to it would listen on them. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb192195-af69-4793-b4a2-1f787af2ddbc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
Ok, I need to simplify this. I need help, I don't know what I am missing. Is anyone able to recreate the following netcat test? I cannot seem to get the DNAT portion of the iptables to work at all. Here is a very simple test: On the proxyvm, I use the following rules to redirect port 5353 to localhost, and allow the connection: iptables -t nat -I PR-QBS 1 -d 10.137.4.1 -p tcp --dport 5353 -j DNAT --to-destination 127.0.0.1 iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT Then, on the proxyvm, I run the following command to listen on that port (no other service is running on that port): nc -l -p 5353 Finally, on the AppVM, I run the following command: nc 10.137.4.1 5353 My expectation is that the two netcats will connect, however they don't. What do I need to do to get my AppVM to talk to my ProxyVM? Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c23efb9f-f344-4523-b24d-ed8d7406723e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
On Friday, February 10, 2017 at 6:21:49 PM UTC-5, Unman wrote: > On Fri, Feb 10, 2017 at 04:10:06AM -0800, Joe Ruether wrote: > > On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > > > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > > > Hello! > > > > > > > > I am trying to set up a proxy vm that will redirect DNS requests to a > > > > local DNS server, for the purposes of adblocking. > > > > > > > > Here is the setup: > > > > > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> > > > > appvm_with_firefox > > > > > > > > I have created a proxyvm based on a debian-8 template, and have > > > > installed PiHole (https://pi-hole.net/) as an adblocker. PiHole works > > > > by starting a DNS server (dnsmasq) and rejecting any dns queries to > > > > domains that serve ads. > > > > > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 > > > > and open firefox (in the proxyvm), I can verify that the adblocker is > > > > working correctly. > > > > > > > > The issue I am having is when I used the proxyvm as the netvm for > > > > another appvm. Without any other changes, my appvm's firefox has > > > > internet access, but the adblocker has no effect. Of course, some > > > > additional setup is needed, but I'm not exactly sure how to do that. > > > > > > > > I'm not very good with iptables, and every attempt I have made to > > > > redirect DNS to 127.0.0.1 in the proxyvm has failed (and caused both > > > > the proxyvm and the appvm to lose the ability to browse). Here are the > > > > commands I ran (in the proxyvm): > > > > > > > > #!/bin/bash > > > > DNS=127.0.0.1 > > > > NS1=10.137.4.1 > > > > NS2=10.137.4.254 > > > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > > > > > --- > > > > > > > > I pieced this together from what I could find from the VPN > > > > documentation on the qubes website as well as the contents of > > > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any > > > > impact. > > > > > > > > So! My question is, am I going about this correctly? I think I need to > > > > modify the iptables in the proxyvm to redirect any incoming (from the > > > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > > > think I need to ensure that there are rules that allow all other > > > > traffic to pass through unhindered. > > > > > > > > Or is there a different, qubes-specific way of handling DNS that I > > > > should be using? After inspecting the sys-firewall ipconfig and > > > > iptables, it is clear that something behind-the-scenes is happening > > > > where an additional NIC is created for each attached appvm, and the > > > > iptables are being populated automatically somehow. I'm not sure how > > > > the proxyvm is supposed to get the addresses of the appvm and > > > > sys-firewall (my script above had addresses hardcoded). > > > > > > > > Thank you for any help! If I get all this working, I'm planning on > > > > making a Salt file that can create the adblocking proxyvm. > > > > > > > > > > I don't see any reason why this shouldn't work. > > > I wouldn't be so specific in the nat rules but that's your call. Just > > > protocol and post would suffice. > > > > > > One obvious point is that you are ADDING those rules to the end of the > > > PR-QBS chain without flushing it first. If you already have redirect > > > rules there they will trigger first. > > > What does your nat table look like after you run that script? > > > > > > Another point may be that you don't have an
Re: [qubes-users] Ad-blocking ProxyVM?
On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > Hello! > > > > I am trying to set up a proxy vm that will redirect DNS requests to a local > > DNS server, for the purposes of adblocking. > > > > Here is the setup: > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox > > > > I have created a proxyvm based on a debian-8 template, and have installed > > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a > > DNS server (dnsmasq) and rejecting any dns queries to domains that serve > > ads. > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and > > open firefox (in the proxyvm), I can verify that the adblocker is working > > correctly. > > > > The issue I am having is when I used the proxyvm as the netvm for another > > appvm. Without any other changes, my appvm's firefox has internet access, > > but the adblocker has no effect. Of course, some additional setup is > > needed, but I'm not exactly sure how to do that. > > > > I'm not very good with iptables, and every attempt I have made to redirect > > DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and > > the appvm to lose the ability to browse). Here are the commands I ran (in > > the proxyvm): > > > > #!/bin/bash > > DNS=127.0.0.1 > > NS1=10.137.4.1 > > NS2=10.137.4.254 > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > --- > > > > I pieced this together from what I could find from the VPN documentation on > > the qubes website as well as the contents of > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. > > > > So! My question is, am I going about this correctly? I think I need to > > modify the iptables in the proxyvm to redirect any incoming (from the > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > think I need to ensure that there are rules that allow all other traffic to > > pass through unhindered. > > > > Or is there a different, qubes-specific way of handling DNS that I should > > be using? After inspecting the sys-firewall ipconfig and iptables, it is > > clear that something behind-the-scenes is happening where an additional NIC > > is created for each attached appvm, and the iptables are being populated > > automatically somehow. I'm not sure how the proxyvm is supposed to get the > > addresses of the appvm and sys-firewall (my script above had addresses > > hardcoded). > > > > Thank you for any help! If I get all this working, I'm planning on making a > > Salt file that can create the adblocking proxyvm. > > > > I don't see any reason why this shouldn't work. > I wouldn't be so specific in the nat rules but that's your call. Just > protocol and post would suffice. > > One obvious point is that you are ADDING those rules to the end of the > PR-QBS chain without flushing it first. If you already have redirect > rules there they will trigger first. > What does your nat table look like after you run that script? > > Another point may be that you don't have an incoming rule in the INPUT > chain allowing inbound traffic to the DNS ports. Unless you've changed > this the default rule will block inbound traffic from any vif interface. > So you need to ensure you are allowing that traffic with an: > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW > > Finally, you need to consider the effects of the qubes-firewall and > qubes-netwatcher services. > If you want to retain these you can use > /rw/config/qubes-firewall-user-script to override the automatic Qubes > configuration and insert your own iptables rules. > You can also use rc.local to set initial iptables rules. > Remember to make those files executable if you want to use them. > > Most of this is in the docs, although not easy to find. > > Hope this helps > > unman Thank you for your help, I have more information about my configuration below. I am confident that I have an
[qubes-users] Ad-blocking ProxyVM?
Hello! I am trying to set up a proxy vm that will redirect DNS requests to a local DNS server, for the purposes of adblocking. Here is the setup: internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox I have created a proxyvm based on a debian-8 template, and have installed PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a DNS server (dnsmasq) and rejecting any dns queries to domains that serve ads. If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and open firefox (in the proxyvm), I can verify that the adblocker is working correctly. The issue I am having is when I used the proxyvm as the netvm for another appvm. Without any other changes, my appvm's firefox has internet access, but the adblocker has no effect. Of course, some additional setup is needed, but I'm not exactly sure how to do that. I'm not very good with iptables, and every attempt I have made to redirect DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and the appvm to lose the ability to browse). Here are the commands I ran (in the proxyvm): #!/bin/bash DNS=127.0.0.1 NS1=10.137.4.1 NS2=10.137.4.254 iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS --- I pieced this together from what I could find from the VPN documentation on the qubes website as well as the contents of /usr/lib/qubes/qubes-setup-dnat-to-ns Running the qubes-setup-dnat-to-dns script by itself after changing /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. So! My question is, am I going about this correctly? I think I need to modify the iptables in the proxyvm to redirect any incoming (from the appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the internet, from the proxyvm) DNS queries to get out. Along with this, I think I need to ensure that there are rules that allow all other traffic to pass through unhindered. Or is there a different, qubes-specific way of handling DNS that I should be using? After inspecting the sys-firewall ipconfig and iptables, it is clear that something behind-the-scenes is happening where an additional NIC is created for each attached appvm, and the iptables are being populated automatically somehow. I'm not sure how the proxyvm is supposed to get the addresses of the appvm and sys-firewall (my script above had addresses hardcoded). Thank you for any help! If I get all this working, I'm planning on making a Salt file that can create the adblocking proxyvm. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7df5d8c4-e52f-4eec-bbea-6c9646c9d3a7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Having trouble configuring VMs with Salt / qubesctl
On Monday, February 6, 2017 at 6:08:09 PM UTC-5, john.david.r.smith wrote:
> On 07/02/17 00:01, Joe Ruether wrote:
> > Hello! I am using Qubes 3.2 and I am attempting to automate the
> > configuration of my VMs using the Salt / qubesctl management stack.
> >
> > I am very new to salt, but I have been experimenting and I think I
> > understand how it works. I have written some state files to configure dom0
> > and I haven't had any problems with those.
> >
> > The problem I am running into is that whenever I try to do anything at all
> > with a VM, it seems that the qubesctl process just hangs. I've let it run
> > overnight just to see, and it definitely isn't doing anything. I also don't
> > know how to make it more verbose so I can debug the issue.
> >
> > Here are the contents of my top file, /srv/salt/custom/setup.top:
> >
> > base:
> > dom0:
> > - custom.template.fedora-24
> >
> > fedora-24:
> > - custom.up-to-date
> >
> > ---
> >
> > The goal I am trying to accomplish is to install the fedora-24 template,
> > then update the packages on it. Here is my custom.template.fedora-24.sls:
> >
> > #!pyobjects
> > Pkg.installed("qubes-template-fedora-24")
> > Qvm.prefs("fedora-24", label="black", netvm="sys-firewall")
> >
> > ---
> >
> > And here is my custom.up-to-date.sls:
> >
> > #!pyobjects
> >
> > system = grains("id")
> > #Pkg.uptodate(system, refresh=True)
> > Test.nop(system)
> >
> > ---
> >
> > Notice how I commented out the uptodate function and replaced it with a
> > nop, with the intention of just getting it to return true.
> > When I run the following command, dom0 successfully installs and configures
> > the fedora-24 template, and the fedora-24 template is started, but after
> > that, it freezes:
> >
> > qubesctl --all state.highstate
> >
> > CTRL-C doesn't give me back a prompt, instead I get errors regarding pool
> > workers. I end up using CTRL-Z and issuing a "killall -9 qubesctl" to make
> > it stop.
> >
> > I don't know how to get more information on the VM to discover what is
> > going wrong. I have (manually) fully updated dom0 and restarted the
> > physical computer. Any tips would be much appreciated. Thank you!
> >
> i never had this kind of problem and can't really help you with your
> sls-files, since i am only used to the yaml + jinja form.
> but you could take a look at the documentation for debugging salt:
> https://www.qubes-os.org/doc/salt/#debugging
I figured out my issue, at some point during my experiments I switched the
default template to debian-8. It took me a while to find the disp-mgmt-* VMs,
they were hidden and it wasn't clear that they were being used. Apparently, I
was hitting this bug because I haven't updated my debian-8 template yet (I was
going to update it with salt! chicken-and-egg problem...)
https://github.com/QubesOS/qubes-issues/issues/
Anyway, it looks like I am good to go for now, thanks!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ab51c88f-f065-4dbc-8c4b-cfbbc36d4a9c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Having trouble configuring VMs with Salt / qubesctl
Hello! I am using Qubes 3.2 and I am attempting to automate the configuration
of my VMs using the Salt / qubesctl management stack.
I am very new to salt, but I have been experimenting and I think I understand
how it works. I have written some state files to configure dom0 and I haven't
had any problems with those.
The problem I am running into is that whenever I try to do anything at all with
a VM, it seems that the qubesctl process just hangs. I've let it run overnight
just to see, and it definitely isn't doing anything. I also don't know how to
make it more verbose so I can debug the issue.
Here are the contents of my top file, /srv/salt/custom/setup.top:
base:
dom0:
- custom.template.fedora-24
fedora-24:
- custom.up-to-date
---
The goal I am trying to accomplish is to install the fedora-24 template, then
update the packages on it. Here is my custom.template.fedora-24.sls:
#!pyobjects
Pkg.installed("qubes-template-fedora-24")
Qvm.prefs("fedora-24", label="black", netvm="sys-firewall")
---
And here is my custom.up-to-date.sls:
#!pyobjects
system = grains("id")
#Pkg.uptodate(system, refresh=True)
Test.nop(system)
---
Notice how I commented out the uptodate function and replaced it with a nop,
with the intention of just getting it to return true.
When I run the following command, dom0 successfully installs and configures the
fedora-24 template, and the fedora-24 template is started, but after that, it
freezes:
qubesctl --all state.highstate
CTRL-C doesn't give me back a prompt, instead I get errors regarding pool
workers. I end up using CTRL-Z and issuing a "killall -9 qubesctl" to make it
stop.
I don't know how to get more information on the VM to discover what is going
wrong. I have (manually) fully updated dom0 and restarted the physical
computer. Any tips would be much appreciated. Thank you!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/81866bb4-7d1c-4edc-89a2-52a172a17164%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
