Qubes get their own device when connecting to my net qube, bypassing my routings. How can i enforce my routing on them

Urist · May 6, 2024, 11:40pm

Hello!

I’m working on a proxy-related project (I’ll post here if it works and I deem it valuable enough to share! I don’t think it will be, however) and I’ve run into an issue

I’ve got everything working on the qube’s network itself. But, when a new qube connects, it gets its own device, complete with its own eth0 connection. From my testing, no http traffic touches iptables?

Ideally, either my iptables rules will apply to all devices (which it doesn’t seem to do)

iptables -t nat -A PREROUTING -p tcp --dport 11371 -j REDSOCKS
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDSOCKS
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS

I’m not a iptables god, but i presume it usually goes on SQL logic. With reducing scope. You’ll notice, no device was specified, so shouldn’t it apply to all devices?

I am logging every chain, and sometimes the qube will touch it, but certainly not when new https connections are established…

nokke · May 7, 2024, 12:06am

Have you looked at the nftables rules? The default rules were migrated there away from iptables iirc, and it looks like it’s not the same underlying data and I don’t know what happens when both are active.

sudo iptables-save is empty on one of my qubes, while sudo nft list ruleset gives a lot of output.

They look very similar but I’m not nearly as familiar with nftables commands and can’t give you equivalents for what you’ve written, but this might be enough to see if your traffic’s being caught by an nft rule before it gets to iptables.

Urist · May 7, 2024, 12:06pm

You are correct… I must figure out how to write my own nft ruleset. This may be hard, but I have faith in myself lol

Urist · May 7, 2024, 7:36pm

Yeah I have no idea what im doing, does anyone have a good reference?

apparatus · May 7, 2024, 7:50pm

I’d suggest using sing-box instead of redsocks:

I’m not sure that redsocks supports nftables.
It seems that you have to use iptables for redsocks:

github.com/darkk/redsocks

redsocks not forwarding proxy requests in RHEL 8

opened 05:52PM - 25 Mar 21 UTC

closed 12:19PM - 19 May 21 UTC

justinschw

I am trying to figure out what the cause is. It worked flawlessly for me in debi…an. I am running RHEL 8 right now, and I set up redsocks in exactly the same way to try and transparently proxy to squid. Here is my redsocks.conf: ``` base { log_debug = off; log_info = on; log = "file:/var/log/redsocks.log"; daemon = on; user = redsocks; group = redsocks; redirector = iptables; } redsocks { local_ip = 127.0.0.1; local_port = 12345; ip = 127.0.0.1; port = 3128; type = http-connect; } ``` Here are the iptables commands I use: ``` iptables -t nat -A OUTPUT -m owner --uid-owner justin -p tcp --dport 80 -j REDIRECT --to-port 12345 iptables -t nat -A OUTPUT -m owner --uid-owner justin -p tcp --dport 443 -j REDIRECT --to-port 12345 ip6tables -t nat -A OUTPUT -m owner --uid-owner justin -p tcp --dport 80 -j REDIRECT --to-port 12345 ip6tables -t nat -A OUTPUT -m owner --uid-owner justin -p tcp --dport 443 -j REDIRECT --to-port 12345 ``` In the redsocks logs I can see that new connections are coming in, but nothing else. ``` 1616694520.847829 notice main.c:165 main(...) redsocks started, conn_max=32768 1616694605.629614 info redsocks.c:1243 redsocks_accept_client(...) [10.0.0.169:33050->52.39.165.66:443]: accepted 1616694606.421735 info redsocks.c:1243 redsocks_accept_client(...) [10.0.0.169:45062->172.217.2.4:443]: accepted 1616694606.682479 info redsocks.c:1243 redsocks_accept_client(...) [10.0.0.169:45066->172.217.2.4:443]: accepted ``` On the client side, the connection just spins for a while before timing out. When I look at a pcap, I can see the connect requests coming into squid, but no handshake, etc. Any idea where to start looking? I can connect to the squid proxy manually and it works fine, so it is hard to imagine that squid is the problem. I disabled SELinux to see if that was causing problems, that didn't help.

Urist · May 7, 2024, 8:14pm

This probably explains why every time i got it to successfully forward, it would die and tcpdump would show nothing! Thank you!