How to route all traffic in VM through local port?

IHavNoRamAndMustQube · May 29, 2021, 12:17pm

General task: route traffic trough nym->tor chain. Ubuntu 20.04, qubes 4.0, kernel 5.4.88-1.
Subtask: route all the VM traffic to local port with socks5 proxy to use it as a network VM.
Which iptables rules I should deploy? I’ve found this article, but I don’t know how is it compatible with qubes VM (and actually I never did anything with iptables). Anyone done something like this?

My current iptables chains:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID
DROP       udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
QBS-FORWARD  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain QBS-FORWARD (1 references)
target     prot opt source               destination

Reason why I can’t just run a nym’s socks5 on a whonix gateway and use SOCKS5Proxy in torrc: nym’s client requires libc 2.29+ and whonix gw-15 has only 2.28 (since it based on debian stable). Manually upgrading libc is advised strongly against since it’s a core system part (also probably that’s too nerdy and time-consuming\bugs-generating).
New debian stable will be released in a month (I guess), so we’ll see new whonix version too in some time.

IHavNoRamAndMustQube · May 29, 2021, 11:01pm

Ok so I done this part. You just install redsocks (routes “transparent” tcp packets to socks5) and create some iptables rules.

iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.0.0.0/24 -j RETURN
iptables -t nat -A REDSOCKS -d 192.0.2.0/24 -j RETURN
iptables -t nat -A REDSOCKS -d 192.88.99.0/24 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN
iptables -t nat -A REDSOCKS -d 198.51.100.0/24 -j RETURN
iptables -t nat -A REDSOCKS -d 203.0.113.0/24 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 255.255.255.255 -j RETURN
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner user -j REDSOCKS
service redsocks restart

All from root. This will exclude all the local addresses from reroutinig by redsocks (if proxy is not local, add proxy IP to that list too) and route all tcp from the user “user” to port “12345”. Write this in a script and add this script to crontab cause iptables refreshes with each reboot (or google on persistent iptables idk).
Then edit configuration at /etc/redsocks.conf, after installation there’s example conf in this file, but probably all you need is something like this:

redsocks {
        local_ip = 127.0.0.1;
        local_port = 12346;
        ip = 127.0.0.1;
        port = 1080;
        type = socks5;
}

Restart redsocks, open console at user “user” and run “curl https://ifconfig.me” to check IP. If you use local socks port, then you probably use some local software for it - run this software from other user to avoid looping (since “user”'s connections are forwarded to proxy). I guess this is it. Not really related to qubes tho, but hope would be useful for someone someday.
Btw I’m unsure for udp and dns traffic. Both are semi-compatible with socks5 and redsocks seems to support udp as stated in it’s docs but I don’t understand stuff.