I'm trying to block an ip address from within Qubes firewall

Hi,

I’m hoping someone can help me. I found a few posts and did some research on the web but nothing works for my situation.

Im trying to block all Qubes from accessing an internal ip on the lan, specifically 192.168.1.1. I don’t want to block it from the router because i still need one qube that i trust to access that ip. For now my priority is to block 192.168.1.1 from all qubes and then work on allowing one qube access as an exception.

I tried the following below in the default-dvm template in files /rw/config/qubes-firewalll-user-script:

nft add rule ip filter input ip saddr 192.168.1.1 counter drop
nft insert rule inet fw4 forward ip saddr 192.168.1.1 counter drop

I did a ‘refresh applications’ which forces the changes to the firewall and restarted sys-firewall/sys-net however I can still ping 192.168.1.1 from my qubes.

Your nftable rules are incorrect. The filter table does not exist.

To block all qubes from accessing it, the correct one would be this in sys-firewall:

nft add rule ip qubes custom-forward ip daddr 192.168.1.1 counter drop

And to allow 1 single qube:

nft insert rule ip qubes custom-forward ip saddr <internal qube IP> ip daddr 192.168.1.1 counter accept

Thanks DVM. This works exactly as needed.

For others looking at this solution make sure to edit /rw/config/qubes-firewall-user-script with your rules in the default-dvm template. This way your settings will persist on reboots as the firewall qube is a disposable vm.

This rule was used to block access to the router which resides on 192.168.1.1 however an exception to unblock one trusted qube was needed for administration.