Should `iptables` already be installed in Qubes?

Mullvad support has told me to run a command in a Proxy-vm that isn’t working.

I try, but this happens:

user@proxy-vm:~$ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
bash: iptables: command not found

Mullvad is “Qubes-aware”, so I’m surprised that they would instruct me to use an application I don’t have.

Should iptables already be installed in Qubes?

You need to use sudo with iptables.

The answer depends on what you mean by “in Qubes”.

Remember that each qube (or virtual machine) has its own operating system and is isolated from the other.

Some qubes that are created during a default Qubes OS installation have iptables installed.

For example, running which iptables in sys-firewall should print something. (The location of iptables.)

When it comes to proxy-vm, it really depends on how you created it. From the output you provided in your post, it seems like installing iptables wasn’t part of the steps you took when creating the qube, or maybe you missed that step. I would expext that running which iptables in your proxy-vm would currently print nothing.

If you want iptables to be available in proxy-vm I would suggest:

  • verifying that you didn’t miss a step in the instructions that you followed to create it
  • then installing it, as you would install any other program (docs)

After installing iptables, you can verify that it is indeed available by verifying that running which iptables in your proxy-vm prints something. :slightly_smiling_face:


Edit: @disp6252 also makes a good point!

Good question.
The answer is “Yes, iptables is already installed in Qubes”
That is, it is installed by default in the main Fedora and Debian templates.

You don’t say how you created your Proxy - if it is based on a minimal
template, then iptables will have been pulled in when you installed
qubes-core-agent-networking

As @disp6252 points out, you need root access - either calling it with
sudo iptables.. , opening a root terminal, or getting root using sudo su

There’s another sense of the question - Should iptables be
installed in Qubes?.
I feel the answer to this should be “No”, and there is active work to
remove the old iptables code from Qubes.
iptables is old and deprecated: it has been replaced by nftables.
When you use iptables in Qubes, you are using a compatibility layer
that uses the old iptables pattern syntax and the new nftables kernel
API. You can confirm this with iptables -V which should show
iptables..(nf_tables)
This has the advantage that you can use iptables commands and the
rules will be available in nft list.
At some point users will have to transition to using nft - I suggest
they start now.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

I find myself in the following situation.

  • used Mullvad’s guide using OpenVPN to set up a Proxy-vm
  • (it uses the full Debian 11 template, not minimal)
  • it doesn’t work. I can ping 8.8.8.8 and www.google.com, but no firefox connectivity in App-vm.
  • Mullvad support thinks I should use iptables to troubleshoot. They didn’t mention sudo, but when it didn’t work, they say I don’t have it installed.

Meanwhile,

iptables v1.8.7 (nf_tables)
user@proxy-vm:~$ sudo which iptables
/usr/sbin/iptables
  • I haven’t had a response from Mullvad since (although weekends and timezones need to be taken into account). I only get one message per 24h from them.

You will be fine just using sudo iptables for troubleshooting.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

Thankyou @unman

Except repeating Mullvad support’s command (top post) - this time with sudo (thanks @disp6252) - gets nothing returned:

user@Proxy-vm:~$ sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
user@Proxy-vm:~$

Just an empty line.

Silence usually means success on the Linux command line @tree!

Unless you specifically expect the command you run to print something, the fact that you see a new command prompt usually means everything went right and the terminal is ready to receive your next command.

Without being familiar with iptables, I’m pretty sure that’s what you’re seeing here. Others will be able to confirm. :slightly_smiling_face:

thanks @gonzalo-bulnes , I hadn’t even considered silence as golden!

I guess I’m running at the limits of my knowledge and Mullvad support’s advice.

1 Like