Iptables not available in sys-net in Qubes OS 4.2.1

chrysstyann1 · May 28, 2024, 4:25pm

Hello,

I have discovered that “iptables” is not available anymore in Qubes OS 4.2.1. I used it in Qubes 4.1.2 to declare 1 PREROUTING, FORWARD, POSTROUTING rule. Of course, I had to re-issue the commands again after a restart.
The thing now is that iptables is not instaled on sys-net anymore. Is there another app that took its place?

I installed iptables and my rules don’t seem to work, plus after restart I need to reinstall the iptables again.

Any solutions?

apparatus · May 28, 2024, 4:28pm

Iptables was replaced with nftables so you’ll need to change you iptables rules to nftables ones.
You can check the examples here:

chrysstyann1 · May 28, 2024, 4:29pm

@apparatus - you are everywhere. Thank you for your time and support answering to my requests.

chrysstyann1 · May 28, 2024, 4:40pm

But is this something new? I do remember the Firewall tab for any AppVM. What you sent is the same thing or different and only at sys-firewall level implemented?

apparatus · May 28, 2024, 4:48pm

There are some examples for using nftables firewall and its rules in Qubes OS 4.2.1.
For example, you can compare “Enabling networking between two qubes” part of the guide for Qubes OS 4.1 and Qubes OS 4.2:

And there would be iptables and nftables rules that will do the same thing and you can understand how to convert your iptables rules to the nftables rules properly.
You can also check this as an example of iptables->nftables conversion:

chrysstyann1 · July 10, 2024, 11:14pm

@apparatus ty for your reply on this.

I have tried to convert the iptables rule into nft rules but only the FORWARD one worked.

What I want to achieve here is the following functionality:

I have a local web server on an AppVM (droppy using docker and portainer for who knows)
I want to access it from the other AppVMs
I want to access it from outside qubes. Qubes machine is connected to a router (RouterB). My local network is connected to RouterA where RouterB is also connected. So, all the requests from my local network are coming through RouterB to my Qubes machine. (everything is set into the RouterB in terms of port forwarding etc)

On Qubes 4.1.2 I had the following rules that worked:

iptables -I PREROUTING -t nat -p tcp -d <Qubes_IP_on_physical_interface> --dport 56789 -j DNAT --to-destination <AppVM1_IP>:56789

iptables -I FORWARD -m state -p tcp -d <AppVM1_IP> --dport 56789 --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -I POSTROUTING -t nat -p tcp -d <AppVM1_IP> --sport 56789 -j SNAT --to-source <Qubes_IP_on_physical_interface>:56789

Context: I put the web server on AppVM1
Where should I connect AppVM1? To sys-net or sys-firewall? I know, it must be under sys-firewall but…
If it’s on sys-net it’s easier to be accessed from my local network
If it’s on sys-firewall it’s easier to be accessed from other Qubes VMs but I suppose I need to implement some rules in sys-net as well to forward/route my request from local network to sys-firewall.

I managed to import the forward rule in sys-firewall like this:

sudo nft add rule ip qubes custom-forward ip daddr <AppVM1_IP> ct state new,related,established  tcp dport 56789 counter accept

This ^ rule work, I can access my web server from other AppVMs as long as all the AppVMs are connected to sys-firewall

Now I am trying to convert 2 rules (for PREROUTING and POSTROUTING). Somehow… nothing works.

apparatus · July 10, 2024, 11:19pm

This is covered in the firewall guide:

Either:

Or:

chrysstyann1 · July 11, 2024, 8:43am

Now I read carefully and I understood what I have to do but I still have a question.
“For the following example, we assume that the physical interface ens6 in sys-net is on the local network 192.168.x.y with the IP 192.168.x.n, and that the IP address of sys-firewall is 10.137.1.z.”

In the rules it is used “192.168.x.y/24”. If my local network between RouterB and Qubes machine is 192.168.10.x, in the rule I should put 192.168.10.0/24 right?

apparatus · July 11, 2024, 8:48am

Yes.

chrysstyann1 · July 11, 2024, 4:40pm

It is not working and I don’t understand why. It is not hard to execute some commands and check them in the nft tables. Everything seems to be exactly as in the description here.
## Port forwarding to a qube from the outside world

Just to be sure it is not something RouterB related, I connected another device to the RouterB and I still can’t access the web. The web page was tested in the AppVM1 with it’s IP:PORT and works.

Could anyone think from where to start the troubleshooting in this situation? I am thinking to make a rule so I can access the AppVM1 web page from an AppVM which is connected to sys-net (AppVM1 is connected to sys-firewall).
I know, the rule in sys-firewall is specific for requests that come from 192.168.10.0/24. But I can create another rule where the requests come from 10.127.0.0/24 just for testing purposes, to understand if further in sys-firewall and AppVM1 the config works.

apparatus · July 11, 2024, 5:27pm

What’s the output of this command in sys-net, sys-firewall and AppVM1?

sudo nft list ruleset

chrysstyann1 · July 11, 2024, 8:42pm

I don’t want to put the entire nft tables here. could you plase send me a direct message and I will put the unaltered content there?

chrysstyann1 · July 12, 2024, 6:39am

for context: I sent to @apparatus the nft rulesets in private so I don’t need to [redact] them here and there…

The rules seem correct and we started troubleshooting.
First advice was to remove ip saddr 192.168.10.0/24 which I did. No change in the behavior.

Using tcpdump dst <IP_on_wls6f0> and dst port <AppVM1_port> on sys-net I can see packets coming through. I tried this also from the other side of RouterB or from the same network created by RouterB. So the connection doesn’t seem to reach the sys-firewall.

apparatus · July 12, 2024, 6:44am

Do you see the nftables rule counter increasing in sys-net for the rules in custom-forward and custom-dnat-qubeDEST chains when you try to connect to your server in AppVM1 from another device?

chrysstyann1 · July 12, 2024, 6:58am

yes, now it counts. Testing from the same network and from the other side of RouterB I’ve realised it was a wrong forward rule in the RouterB which I resolved.
Now I can see packets in nft table rule, I can see packets coming on my Qubes IP and the destination port when I use tcpdump.
I went further to check sys-firewall and there are 0 packets received. So I assume there is something wrong maybe in sys-net because it is not forwarding the packets further?
What tcpdump filter to use in sys-firewall to be sure filter the packets that Im expecting?
I used: tcpdump dst 10.137.0.7 and dst port 8989 but there’s nothing coming.
I also used: tcpdump i- eth0 dst 10.137.0.18 this is the AppVM1 IP

chrysstyann1 · July 12, 2024, 7:03am

Just tried another tcpdump filter and I can see requests coming on sys-firewall:
tcpdump -i eth0 dst 10.137.0.7 and dst port 8989 - this is the firewall IP and the destination port

chrysstyann1 · July 12, 2024, 7:05am

Using tcpdump in the same time on sys-net, sys-firewall and AppVM1 I can see packets are going through sys-net, reaching sys-firewall but not coming in AppVM1
I used: tcpdump -i eth0 dst 10.137.0.18 and dst port 8989 and there are no packets coming on AppVM1

apparatus · July 12, 2024, 7:06am

What is the source IP address in the tcpdump for the packets to your server in AppVM1 from another device? Is it from 192.168.10.0/24 subnet?

chrysstyann1 · July 12, 2024, 7:08am

The source is the same in sys-net and sys-firewall. It’s the IP address of the requestor which is above RouterB, so on RouterA network where RouterB is connected. Or maybe I didn’t understand the question…

apparatus · July 12, 2024, 7:09am

Then change 192.168.10.0/24 in all your nftables rules to the subnet of your RouterA. Or add rules for the subnet of your RouterA in addition to 192.168.10.0/24.