qubes-issues
qubes-issues copied to clipboard
QubesOS
Clarify firewall documentation regarding custom NAT rules
Background
"In ProxyVMs (or app qubes with qubes-firewall service enabled), scripts placed in the following directories will be executed in the listed order followed by qubes-firewall-user-script at start up. Good place to write custom firewall rules." (config files)
"... for all qubes except those supplying networking, iptables commands should be added to the /rw/config/rc.local script. For app qubes supplying networking (sys-firewall inclusive), iptables commands should be added to /rw/config/qubes-firewall-user-script." (firewall)
Qubes OS release
R 4.1.1
Brief summary
I am trying to set my own NAT rules for a VPN app qube. The VPN app qube provides network for other appvms, and I have also enabled qube-firewall service to see if that causes the script to be run (it doesn't). If I move the iptables commands to rc.local, it works as expected.
Steps to reproduce
- Create appvm to use as a network providing qube (Advanced > Provides network), set up the VPN etc.
- Set the new vpn qube as a netvm for another appvm.
- Enable qubes-firewall service (optional?)
- In the qubes-firewall-user-script modify PR-QBS in the NAT table:
iptables -A PR-QBS -t nat ... - Check nat table:
iptables -nvL -t nat
Expected behavior
We expect to see the qubes-firewall-user-script execute at least on boot, and add a rule to the nat table, PR-QBS chain.
Actual behavior
Does not seem to execute or have any effect.
Similar issues
https://github.com/QubesOS/qubes-issues/issues/3260
Can you confirm that you can set other chains? (I am confident that you will be able to do so.)
@unman You're correct, I created a new chain and it is created by qubes-firewall-user-script.
I suppose this means that the qubes-firewall-user-script is executed before whatever creates the PR-QBS chain?
Is there any way to modify existing chains other than rc.local? AFAIK the qubes-firewall-user-script is the last configurable firewall script location that is run.
On Wed, Jul 27, 2022 at 09:17:03AM -0700, Sebastian Jug wrote:
@unman You're correct, I created a new chain and it is created. I suppose this means that the
qubes-firewall-user-scriptis executed before whatever creates thePR-QBSchain and it's overwritten? Is there any way to modify existing chains other than rc.local?
I think you are right. You can modify this from a (late starting) nft script, called from systemd. But that means there is an open window before the script is run
- not an issue if it is permissive.
This is no bug, but a user error / misunderstanding. Please close.
@sjug The qubes-firewall-user-script is ecxecuted once on Qubes firewall start as documented. If you want your own NAT rules, you can place them at whatever time in the PREROUTING chain before PR_QBS. However you are not supposed to modify PR_QBS. That is fully managed by Qubes OS at runtime and will change over time. If you do some stuff in there, don't be surprised that it disappears.
I believe this is a documentation bug, and should be left open until that has been resolved. Changing the title to reflect the actual issue would be helpful, and changing tags.
If anyone reading this is able to help with the documentation here, please feel free to open a PR.
For those who are not already aware, the documentation is a community effort, and everyone is welcome to contribute. That's often how things like this get updated. You can read more about how to submit documentation changes here:
https://www.qubes-os.org/doc/how-to-edit-the-documentation/
You may also be interested in the documentation style guide:
https://www.qubes-os.org/doc/documentation-style-guide/
