Sing-box with new firewall [4.2]

User Support
1

Greetings to the community!
I have been using your system for a long time, but had the indiscretion))) to upgrade to version 4.2. I’m in Russia, we have a question of access to various services, now actively blocked wireguard connections for the last half a year, to bypass blocking I use shadowsocks, vless, etc. This is currently blocked badly.
I had a cube configured for sing-box connection, which went on to other working cubes, to sys-whonix and so on. But I had the indiscretion to upgrade to version 4.2 without recognizing that there was a switch to nftables. I’ve been using [GitHub - hexstore/qubes-proxy: 集成通用代理工具(sing-box)在Qubes OS | mirror of https://git.sr.ht/~qubes/proxy](https://sys-proxy with sign-box) for a long time, but now the rules don’t work. I have tried different options, clash and so on do not suit me very well, as described in this manual , I am more used to working with sing-box and xray kernels.
I read the new notes about using nftables, I wrote and tried for a long time, but I still can’t get the previous one to work, I’ll attach my own developments, maybe something has changed at a deeper level and I’m not quite skilled at it. I apologize for my probably not very good English, I hope someone will also find my topic helpful in solving their questions. Thank you!

Summary

. /var/run/qubes/qubes-ns

ns=$(grep -v ‘^#’ /etc/resolv.conf | grep nameserver | awk ‘{print $2}’)
if [ -z “${NS1}” ]; then
NS1=$(echo “${ns}” | cut -d " " -f 1) # например, 10.139.1.1
fi
if [ -z “${NS2}” ]; then
NS2=$(echo “${ns}” | cut -d " " -f 2) # например, 10.139.1.2
fi

nft flush chain ip qubes output
nft add rule ip qubes forward drop # По умолчанию запрещаем пересылку
nft add rule ip qubes forward oifname “eth0” drop
nft add rule ip qubes forward iifname “eth0” drop

nft flush chain ip qubes qbs-forward
nft add chain ip qubes qbs-forward
nft add rule ip qubes qbs-forward oifname “tun+” tcp flags syn,rst syn counter tcp option maxseg size set rt mtu
nft add rule ip qubes qbs-forward iifname “vif+” oifname “tun+” accept
nft add rule ip qubes qbs-forward drop

nft add rule ip qubes input iifname “tun+” accept
nft add rule ip qubes input drop

if [ -n “${NS1}” ]; then
nft add rule ip qubes input iifname “tun+” udp sport 53 ip saddr “${NS1}” ct state established accept
nft add rule ip qubes input iifname “tun+” tcp sport 53 ip saddr “${NS1}” ct state established accept
fi
if [ -n “${NS2}” ]; then
nft add rule ip qubes input iifname “tun+” udp sport 53 ip saddr “${NS2}” ct state established accept
nft add rule ip qubes input iifname “tun+” tcp sport 53 ip saddr “${NS2}” ct state established accept
fi

nft delete rule ip qubes input iifname “vif+” icmp type echo-request counter accept
nft add rule ip qubes input iifname “vif+” reject with icmp type host-prohibited
nft add rule ip qubes input icmp type echo-request drop

nft add rule ip qubes input tcp flags fin,syn,rst,psh,ack,urg none drop
nft add rule ip qubes input tcp flags fin,syn,rst,psh,ack,urg fin,syn,rst,psh,ack,urg drop
nft add rule ip qubes input frag not fragment drop
nft add rule ip qubes input tcp flags syn,rst syn,rst drop
nft add rule ip qubes input tcp flags fin,syn fin,syn drop
nft add rule ip qubes input tcp flags fin,syn,rst,psh,ack,urg fin,syn,rst,ack drop
nft add rule ip qubes input ct state invalid drop

nft add rule ip qubes output ct state established accept
nft add rule ip qubes output tcp flags fin,syn,rst,psh,ack,urg none reject with icmp type admin-prohibited
nft add rule ip qubes output tcp flags fin,syn,rst,psh,ack,urg fin,syn,rst,psh,ack,urg reject with icmp type admin-prohibited
nft add rule ip qubes output frag not fragment reject with icmp type admin-prohibited
nft add rule ip qubes output tcp flags syn,rst syn,rst reject with icmp type admin-prohibited
nft add rule ip qubes output tcp flags fin,syn fin,syn reject with icmp type admin-prohibited
nft add rule ip qubes output tcp flags fin,syn,rst,psh,ack,urg fin,syn,rst,ack reject with icmp type admin-prohibited
nft add rule ip qubes output ct state invalid reject with icmp type admin-prohibited

2

I have the same problem,and try the other project,but not Succeed,you can try this ,or anyone have better solution,Thanks a lot.

3

Not sure why apparently everyone has issues with the nftables firewall…

Here’s what I use for my VPN forwarding:

#!/bin/bash

FW_CHAIN="my_chain_name"

local rules=
rules="$(nft list ruleset)" || errorOut "Failed to read the nft ruleset."

if [[ "$rules" == *"chain custom-forward "* ]] ; then # >= Qubes 4.2
   (
   set -e
   nft add chain ip "qubes" "$FW_CHAIN"
   nft flush chain ip "qubes" "$FW_CHAIN"
   #allow forwarding to VPN tunnel
   nft add rule ip "qubes" "$FW_CHAIN" iifname "vif*" oifname "tun*" counter accept
   nft add rule ip "qubes" "$FW_CHAIN" iifname "tun*" oifname "vif*" counter accept
   #disallow some weird combinations
   nft add rule ip "qubes" "$FW_CHAIN" iifname "tun*" oifname "eth*" counter drop
   nft add rule ip "qubes" "$FW_CHAIN" iifname "eth*" oifname "tun*" counter drop
   nft add rule ip "qubes" "$FW_CHAIN" iifname "vif*" oifname "eth*" counter drop
   nft add rule ip "qubes" "$FW_CHAIN" iifname "eth*" oifname "vif*" counter drop
   #use Qubes OS policy otherwise
   ) || errorOut "Failed to execute the rules for the nft chain $FW_CHAIN."

   #we only re-create it, if it's not already there
   if [[ "$rules" != *"jump $FW_CHAIN"* ]] ; then
     nft insert rule ip "qubes" "custom-forward" counter jump "$FW_CHAIN" || errorOut "Failed to reference the nft $FW_CHAIN chain."
   fi
4

I threw my customization in the Hide, but it doesn’t work for some reason, although it’s similar (as it seems to me) to what I had before.