Nftables?

Coalms · December 30, 2023, 10:05pm

I wanted to use my almost-non-existent nftables skills to recreate the famous mullvad dns rerouting script since there are no iptables in the newer qubes version, apperantly its not even installed and only nftables are available… yeah wth is that

type nat hook prerouting priority dstnat; policy accept;
		ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
		ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
		ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
		ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2

as far as my limited knowledge goes 10.139.1.{1,2} are rerouting dns queries to the previous net providing qube, other then the fact that this sounds dangerous to me as a correlation point having 2 pararel qube chains sourcing their dns from the top of the tree (ie sys-net), nevertheless why are we pointing 10.139.1.1:53 to itself?or am I missing something like is it forwarding the next-qube-in-the-chain dns traffic to the previous-qube-in-the-chain or something? I am completely confused here

DVM · December 30, 2023, 10:32pm

This is for the next qube in the chain, not the previous one. When a qube sends a DNS query, it is forwarded to its netvm and down the chain until it hits a “real” DNS server (like sys-net, which get the router DNS from DHCP, or anything else that hijacks the DNS queries before it like a VPN qube).

It looks confusing, but the “ip daddr” part just marks the supposed destination. Here it is used as a filter to say “if the destination address is 10.139.1.1(2) with protocol udp(tcp) on port 53, then do…”, so it is more specific than doing a global redirect of all requests from port 53 to 10.139.1.1(2).

In your case, you need to keep the first part of this request to redirect everything coming from 10.139.1.1(2) and change the dnat part to redirect queries to the Mullvad DNS IP.

Coalms · December 31, 2023, 5:03am

Just because I tend to be stupid, for my vpn I should just

        ip daddr 10.139.1.1 udp dport 53 dnat to <vpn-dns>
		ip daddr 10.139.1.1 tcp dport 53 dnat to <vpn-dns>
		ip daddr 10.139.1.2 udp dport 53 dnat to <vpn-dns>
		ip daddr 10.139.1.2 tcp dport 53 dnat to <vpn-dns>

I just have to ask for clearficifaction, my nftables understanding is almost non existent and i sometimes wish it had kept the iptables syntax

apparatus · December 31, 2023, 6:04am

Coalms:

for my vpn I should just

        ip daddr 10.139.1.1 udp dport 53 dnat to <vpn-dns>
		ip daddr 10.139.1.1 tcp dport 53 dnat to <vpn-dns>
		ip daddr 10.139.1.2 udp dport 53 dnat to <vpn-dns>
		ip daddr 10.139.1.2 tcp dport 53 dnat to <vpn-dns>

Yes.

Coalms · December 31, 2023, 6:14am

sweet thanks