Hi, I am currently learning about nft and trying to understand how it is used in combination with Qubes OS. Networking docs contain following sentence:
[…] routed networking is used instead of the default bridging of vif devices and NAT is applied at each network hop.
As I interpret it, Qubes uses Source NAT or IP masquerading in each netVM for security reasons.
More concrete: Some qube A wants to visit domain qubes-os.org. To do so, it first goes through netVM B, like sys-firewall: Then B replaces the packet’s source IP of qube A with its own IP and forwards it either to another netVM or lastly to NIC and inet (inverse for reply).
Now question is: Where is this NAT defined? I tried out by invoking e.g. in sys-firewall:
root@sys-firewall:~# nft list ruleset ip
table ip qubes {
...
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
...
}
Does masquerade within postrouting hook provides said SNAT?
If so, I’d imagine basic flow looks like this:
- Qube
Auses its default gateway route to send its request/packet to netVMB. - This packet goes through
B’sprerouting→forward→postroutingNetfilter kernel hooks. - In last
postroutinghook, netVM finally performs actual SNAT, replacing the packet source IP.
Assuming above is correct I am also wondering, if NAT matters that much security-wise. If a qube gets corrupted, these firewall rules can’t be taken seriously anymore - incl. masquerade. Or does Qubes OS enforce SNAT in a stricter way - by Xen or some other layer above?
Corrections and answers are welcomed!