Sys-firewall custom NAT rules for pihole


I noticed sys-firewall is now disposable by default, that means everything is gone after reboot. I need to add some NAT rules for my pihole qube to redirect dns traffic to pihole.

I studied documentation here Firewall | Qubes OS, but it seems it does not reflect recent change of sys-firewall to dispvm, as it recommends to write down the rules to /rw/config/qubes-firewall-user-script or /rw/config/rc.local - both these files are lost after reboot.

So far I ended up with easy script which I added to desktop and I execute after notebook reboot. My pihole cube is debian 11 with ip

Script on dom0:

qvm-run --pass-io sys-firewall -- 'echo "iptables -I FORWARD -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp --dport 53 -j ACCEPT
iptables -t nat -F PR-QBS
iptables -t nat -I PR-QBS -i vif+ -p udp ! -s --dport 53 -j DNAT --to-destination
iptables -t nat -I PR-QBS -i vif+ -p tcp ! -s --dport 53 -j DNAT --to-destination" | sudo tee /rw/config/qubes-firewall-user-script; sudo /rw/config/qubes-firewall-user-script'

And it works, but I wanted to know if there is better way how to achieve this.

Thank you for help.

Best regard,

qvm-prefs offers to change the DNS settings of a qube but so far I couldn’t get it to work:

[user@dom0 ~]$ qvm-prefs sys-xyz dns
qvm-prefs: error: property 'dns' on DispVM instance cannot be set

For another thing I took a look into the init script of /usr/libexec/xen/boot/qemu-stubdom-linux-full-rootfs and it looks like and .2 are not hardcoded but dynamically fetched in the initram at runtime with xenstore-read and xenstore-list and passed to a stubdom udhcpd. Somewhere in Qubes Doc it is said that this works for MS windows but might not work for some linux distros.

Anyway, some prefs can be set, other obviously not. If you find a way to set the DNS prefs please let us know.