[4.2] VPN configuration: iptables: No chain/target/match by that name in Qubes 4.2.rc1


I upgraded to 4.2 rc1 and I can’t get my openvpn DNS script working in the new app qubes (tried fedaora 37 and 38).

Openvpn works fine, but the script that uses iptables to take over DNS requests fails. For example:

# sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to
iptables: No chain/target/match by that name.

The VPN is working, just no automatic DNS :confused:

Everything works fine on Qubes 4.2 with a fedora 36 qube restored from Qubes 4.1 backups).

Qubes dropped iptables support and replaced it with nftables:

  • DomU firewalls have completely switched to nftables. Users should add their custom rules to the custom-input and custom-forward chains. (#5031, #6062)

Instead of:
sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to
sudo nft add rule ip qubes dnat-dns iifgroup 2 udp dport 53 dnat to

Thanks, still got an error, but you got me on the right track. Learning how to configure nft chains so I should be able to figure it out. (Error: Could not process rule: No such file or directory).

You can see an example here:

Perfect, thanks so much @1choice as I was able to get it working looking at the PR you linked. I wasn’t grabbing the source addrs for qubes NS severs in /var/run/qubes/qubes-ns and adding rules with them as a dest addr.