face
June 6, 2023, 2:39am
1
Hello,
I upgraded to 4.2 rc1 and I can’t get my openvpn DNS script working in the new app qubes (tried fedaora 37 and 38).
Openvpn works fine, but the script that uses iptables to take over DNS requests fails. For example:
# sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to 10.3.0.1
iptables: No chain/target/match by that name.
The VPN is working, just no automatic DNS
Everything works fine on Qubes 4.2 with a fedora 36 qube restored from Qubes 4.1 backups).
Qubes dropped iptables support and replaced it with nftables:
DomU firewalls have completely switched to nftables. Users should add their custom rules to the custom-input
and custom-forward
chains. (#5031 , #6062 )
Instead of:
sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to 10.3.0.1
Use:
sudo nft add rule ip qubes dnat-dns iifgroup 2 udp dport 53 dnat to 10.3.0.1
face
June 6, 2023, 6:43am
3
Thanks, still got an error, but you got me on the right track. Learning how to configure nft chains so I should be able to figure it out. (Error: Could not process rule: No such file or directory
).
You can see an example here:
tasket:master
← 1cho1ce:replace-iptables-with-nftables
opened 07:01PM - 25 May 23 UTC
Qubes dropped iptables support and replaced it with nftables:
https://github.co… m/QubesOS/qubes-core-agent-linux/commit/28b95535c7cbd15543c804e822c0e4c997f5966e
This pull request replaces iptables with nftables.
Removed `allow established input` rules from `proxy-firewall-restrict` since they are already present in nft tables ip/ip6 qubes.
TODO: Need to think of a better way to check in `--check-firewall` in `qubes-vpn-setup` script if the forward drop rules are present (or `proxy-firewall-restrict` script finished successfully).
face
June 8, 2023, 11:07pm
5
Perfect, thanks so much @1choice as I was able to get it working looking at the PR you linked. I wasn’t grabbing the source addrs for qubes NS severs in /var/run/qubes/qubes-ns and adding rules with them as a dest addr.