Re: [qubes-devel] Re: Port Forward using iptables broken?

[Alex Dubois]

On Saturday, 10 February 2018 21:45:30 UTC, Marek Marczykowski-Górecki  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Fri, Feb 09, 2018 at 04:12:57PM -0800, joev...@gmail.com wrote:
> > On Friday, 9 February 2018 19:02:09 UTC-5, Alex Dubois  wrote:
> > > On Friday, 9 February 2018 23:59:52 UTC, Alex Dubois  wrote:
> > > > On Friday, 9 February 2018 16:36:14 UTC, joev...@gmail.com  wrote:
> > > > > Yes, thanks for pointing out the typos.  They are only mistakes in 
> > > > > this post.  I use a script running in dom0 to generate pretty much 
> > > > > everything.  The same script works when debian-8 is used.  The 
> > > > > interface is different depending on the template
> > > > 
> > > > I confirm I have the same issue.
> > > > Please however note that I have another PCI NIC connected to an AppVM 
> > > > (My qubes also act as a firewall for home network) and we have no issue 
> > > > connecting outbound.
> > > > Outbound connection as you know do not need the PRE-ROUTING rules, so 
> > > > also the problem is seen on the FORWARD rule, I suspect more the 
> > > > PRE-ROUTING rule is at fault and does not do its job.
> > > > I'll try to dig into this, however I won't have much time this week...
> > > 
> > > Also, could you clarify if you've tested on FirewallVM and if here again 
> > > Debian is OK and Fedora not. This might rule out issues with physical 
> > > cards (which I suspect is not the problem as PRE-ROUTING does get the 
> > > packet).
> > 
> > Yes, if the template on sys-net is changed to Debian-8, but sys-firewall 
> > (FirewallVM) is left with fedora... sys-net does send the packet to 
> > sys-firewall, which then appears the same way... PREROUTING sees it, but 
> > FORWARD does not.
> 
> An idea: Debian don't have nftables installed by default, so
> qubes-firewal fallback to iptables. But not on Fedora - there nftables
> is used. This applies to both sys-net and sys-firewall.
> 
> A quick test:
> 
> 1. List rules:
> 
> nft list table ip qubes-firewall
> 
> 2. Add rule accepting traffic from eth0:
> 
> nft add rule ip qubes-firewall forward meta iifname eth0 accept

Shall I test and document firewall.md all using nft if it all works (there are 
some incompatibility warning in the nftables wiki with iptables for nat that 
may need us to move fully to nft)?
I'll be happy to try (in my spare time and own pace) to submit PR for all the 
qubes firewall scripts in sys-net and sys-firewall if you think it is the right 
way forward.

> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> 
> iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlp+rHcACgkQ24/THMrX
> 1ywR9gf/RJFy4TVihhweEh7ZqpwKTTD/JNgYCrl2nelvRwxl8awlqL/sxBBTGo39
> byprAaL/Oe+6L4aX3d/tfbmpuJ7plHIJvm9PIxQ4SVj46iEcMRJIm1xQCjV8YtFu
> bvAna5vrisuUuaEo/Kx1a7ee4gJTjHNUtTgA8N2ar+oL/csG2Vlz38zCVjAD8isf
> HoCn8H35V4zvJoVXNuFTpSBplIlxa4ouryBWT9GQktBnZ1OPqdeiKotgFX2N5sJc
> z01XQQ83HWJ+1/x+iGI9OoGidBKHI+izjSNhlyO70SW/9L1Xg+2NkaetJcO1VLHI
> TaegOvEhZkvw2X6DVeeG5fGk1nYKXQ==
> =evy9
> -END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/f217a6dc-1933-40fc-bd2e-3091de7d19e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Re: Port Forward using iptables broken?

[Alex Dubois]

Sent from my mobile phone.

> On 10 Feb 2018, at 03:44, joevio...@gmail.com wrote:
> 
>> On Friday, 9 February 2018 03:44:13 UTC-5, awokd  wrote:
>>> On Fri, February 9, 2018 7:33 am, bowabos wrote:
 On Friday, 9 February 2018 06:50:05 UTC, joev...@gmail.com  wrote:
 
 Fedora templates have a weird issue where the packet counter on the
 sys-net nat FORWARD chain does not increment. The PREROUTING chain does
 increment.
>> 
>> I saw this too when trying to follow the port forwarding example in
>> https://www.qubes-os.org/doc/firewall/ . Mentioned it on qubes-users.
>> @adubois is researching as well.
> 
> https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
> Try this Portfwd script.  It was modified to work with new fedora templates 
> using nft.
> 
> Created an updated version for Qubes 4.0 (RC4 tested)
> Portfwd.sh|  clear all
> 
> Command line specify the "VM, Port and Protocol"... or just "VM clear all" to 
> undo previous.
> Script will recursively configure iptables/nft for all proxyVMs in use.
> Now uses comments on iptables to remove previous entries (no duplicates)
> 
> Works with Fedora 25/26 which uses nft rules along with iptables
> Works with Debian 8/9 too

Thanks. I may have a look later. I will first validate that it does not work as 
well with vanilla Fedora 26.

> 
> -- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-devel" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-devel/0ixnn8G5dAg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-devel+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-devel@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-devel/8a0d97ad-843e-4a44-ae07-86885ad396d1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/EB6C6EA7-3395-4D52-AFF8-62A4ED98D0D4%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] Re: Port Forward using iptables broken?

['awokd' via qubes-devel]

On Fri, February 9, 2018 7:33 am, bowa...@gmail.com wrote:
> On Friday, 9 February 2018 06:50:05 UTC, joev...@gmail.com  wrote:
>
>> Fedora templates have a weird issue where the packet counter on the
>> sys-net nat FORWARD chain does not increment. The PREROUTING chain does
>> increment.

I saw this too when trying to follow the port forwarding example in
https://www.qubes-os.org/doc/firewall/ . Mentioned it on qubes-users.
@adubois is researching as well.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/a0e9be2905297c310d37344fca346ee0.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.