hi all, i’m discovering Qubes 4.2 and have one question regarding networking/iptables.
I am used to deploy AppVM based on little scripts I wrote for my personal use.
One of the script I had:
disabled qubes-iptables services on a proxyVM
executed is own script instead based on a new service systemd unit file based on the basic.target.wants
But, I noticed that basic.target.wants does not exists anymore in /etc/systemd/system/.
So, I tried to adapt without success.
Systemd unit file I had on Qubes 4.1 and deployed in the template:
[Unit]
Description=iptables with karli rules
[Service]
Type=oneshot
ExecStart=/sbin/iptables.sh
RemainAfterExit=false
StandardOutput=journal
[Install]
WantedBy=basic.target
And that I tried to replace by the following, in the /etc/systemd/system/network-online.target.wants/karli-iptables in the template:
[Unit]
Description=iptables with karli rules
[Service]
Type=oneshot
ExecStart=/sbin/iptables.sh
RemainAfterExit=false
StandardOutput=journal
[Install]
WantedBy=multi-user.target
I tried different folders too, but I do not know why it does not work.
In the proxyVM, my rules are not pushed anymore at startup. When doing a systemctl start karli-iptables it applies my rule exactly as expected (which mea it’s just my systemd service which is not working. I just want the process automatic at startup and do not succeed.
/etc is not persistent in AppVMs, so any symlink (enabling of the unit) must either be done in the template, or the service must be started through any of the /rw/config mechanisms (rc.local or qubes-firewall.d)
Thanks for the notification. Indeed, I made a copy-paste mistake in the second unit file. I edited: this is now right.
I know for nftables! I reinstalled iptables of course
I also know for the non persistent /etc. I may edit the initial post to reflect this aspect: I put on the template the files in /etc, so that in the AppVM (proxyVM) I can call systemctl start karli-iptables which work perfectly.
What the script do: it deploy custom iptables rules that are in the /sbin/iptables.sh file. The problem is really one of starting it with systemd at startup (not about iptables magic)
The way Qubes sets up the firewall in domUs is not simple and is integrated with Xen, interface setup and routing stuff. Discarding all that completely and doing your own netfiltering kung fu from scratch can be quite challenging with unpredicted results.
One way to approach process startup is to have a systemd unit similar to /lib/systemd/system/qubes-firewall.service. Another way is to edit /etc/nftables.conf in the template.
A third way is to simply place your nftables script inside /rw/config/qubes-firewall.d and have qubes-firewall service enabled. This way it will start your stuff before network is up. No need for unit file and no need to touch the template.
