Is anyone here familiar with nftables and the way qubes handles firewalling? I’m having some troubles trying to get a proxy tool running in tproxy mode on qubes.
Tproxy uses the firewall and routing tables to intercept traffic without needing a tun virtual interface which means the proxy tool can run without root.
My nftables rules work ok when they run just inside tproxy-netvm. But tproxy-netvm can not provide network to other vm.
The rule I set in the prerouting chain fail to tproxy to port for some reason and they all enter input chain eventually.
meta l4proto { tcp, udp } counter packets 30 bytes 1970 meta mark set 0x00000001 counter packets 30 bytes 1970 tproxy to :8090 counter packets 0 bytes 0 accept
Nftables rules:
table ip qubes {
set private {
type ipv4_addr
flags interval
elements = { 0.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4 }
}
set downstream {
type ipv4_addr
elements = { 10.137.0.1 }
}
set allowed {
type ifname . ipv4_addr
elements = { "vif43.0" . 10.137.0.1 }
}
chain direct {
meta l4proto != { tcp, udp } counter packets 0 bytes 0 accept
ip daddr @private counter packets 0 bytes 0 accept comment "Private IP"
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain prerouting-tproxy {
type filter hook prerouting priority mangle; policy accept;
iifname "vif41.0" counter packets 0 bytes 0
iifname "eth0" counter packets 0 bytes 0
ip saddr 10.137.0.1 counter packets 30 bytes 1970
ip daddr 10.139.1.1 counter packets 14 bytes 914
ip daddr 10.139.1.2 counter packets 16 bytes 1056
jump direct
meta l4proto { tcp, udp } counter packets 30 bytes 1970 meta mark set 0x00000001 counter packets 30 bytes 1970 tproxy to :8090 counter packets 0 bytes 0 accept
counter packets 30 bytes 1970
}
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
iif "lo" accept
iifgroup 2 counter packets 30 bytes 1970 reject with icmp host-prohibited
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain output {
type route hook output priority filter; policy accept;
meta mark 0x000000ff counter packets 0 bytes 0 accept comment "Match package singbox output"
jump direct
meta l4proto { tcp, udp } meta mark set 0x00000001 counter packets 0 bytes 0 counter packets 0 bytes 0 accept comment "Reroute"
counter packets 0 bytes 0
}
}