Re: [qubes-users] Ad-blocking ProxyVM?
On Mon, April 30, 2018 6:40 pm, tomaxi...@gmail.com wrote: > I'm would like to build a similar setup, with pi-hole as a proxyVM for > some browsing AppVM on my fresh Qubes 4.0 install. I'm quite a beginner to > Qubes (and to linux more genrally) and I'm struggling following what > you've done to make it work. (I have also tried to follow some other > instructions here: > https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/ but > either I'm missing something, or it doesn't work like this anymore with > 4.0) > Have you updated your setup to Qubes 4.0 if needed ? > Would you please agree to summarize as simply and clearly as possible the > necessary steps to make it work for a noob like me. Thanks Please see https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/http-proxy.md for some ideas how to do it, including R4.0 specific steps. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/31143f72e72eb14a378979e3b4d4c3d7.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
Le mardi 14 février 2017 13:08:37 UTC+1, Joe Ruether a écrit : > On Monday, February 13, 2017 at 9:35:52 PM UTC-5, Joe Ruether wrote: > > Ok, I need to simplify this. I need help, I don't know what I am missing. > > Is anyone able to recreate the following netcat test? > > > > I cannot seem to get the DNAT portion of the iptables to work at all. Here > > is a very simple test: > > > > On the proxyvm, I use the following rules to redirect port 5353 to > > localhost, and allow the connection: > > > > iptables -t nat -I PR-QBS 1 -d 10.137.4.1 -p tcp --dport 5353 -j DNAT > > --to-destination 127.0.0.1 > > iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT > > > > Then, on the proxyvm, I run the following command to listen on that port > > (no other service is running on that port): > > > > nc -l -p 5353 > > > > Finally, on the AppVM, I run the following command: > > > > nc 10.137.4.1 5353 > > > > My expectation is that the two netcats will connect, however they don't. > > What do I need to do to get my AppVM to talk to my ProxyVM? Thanks > > Well, I feel like a fool, I finally figured it out. I realized the DNAT rules > aren't necessary at all, so all I needed was this: > > iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT > > Of course I overcomplicated such a simple problem... I learned a bunch about > iptables though. > > I also have the PiHole adblocker working now. In case anyone stumbles onto > this thread trying to do the same thing, the final trick was to add the Qubes > vif interfaces to a dnsmasq config file to it would listen on them. Hi Joe, I'm would like to build a similar setup, with pi-hole as a proxyVM for some browsing AppVM on my fresh Qubes 4.0 install. I'm quite a beginner to Qubes (and to linux more genrally) and I'm struggling following what you've done to make it work. (I have also tried to follow some other instructions here: https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/ but either I'm missing something, or it doesn't work like this anymore with 4.0) Have you updated your setup to Qubes 4.0 if needed ? Would you please agree to summarize as simply and clearly as possible the necessary steps to make it work for a noob like me. Thanks Tom -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5231186a-8856-45b6-8b7b-67fcfe9bf86d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
On Monday, February 13, 2017 at 9:35:52 PM UTC-5, Joe Ruether wrote: > Ok, I need to simplify this. I need help, I don't know what I am missing. Is > anyone able to recreate the following netcat test? > > I cannot seem to get the DNAT portion of the iptables to work at all. Here is > a very simple test: > > On the proxyvm, I use the following rules to redirect port 5353 to localhost, > and allow the connection: > > iptables -t nat -I PR-QBS 1 -d 10.137.4.1 -p tcp --dport 5353 -j DNAT > --to-destination 127.0.0.1 > iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT > > Then, on the proxyvm, I run the following command to listen on that port (no > other service is running on that port): > > nc -l -p 5353 > > Finally, on the AppVM, I run the following command: > > nc 10.137.4.1 5353 > > My expectation is that the two netcats will connect, however they don't. What > do I need to do to get my AppVM to talk to my ProxyVM? Thanks Well, I feel like a fool, I finally figured it out. I realized the DNAT rules aren't necessary at all, so all I needed was this: iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT Of course I overcomplicated such a simple problem... I learned a bunch about iptables though. I also have the PiHole adblocker working now. In case anyone stumbles onto this thread trying to do the same thing, the final trick was to add the Qubes vif interfaces to a dnsmasq config file to it would listen on them. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb192195-af69-4793-b4a2-1f787af2ddbc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
Ok, I need to simplify this. I need help, I don't know what I am missing. Is anyone able to recreate the following netcat test? I cannot seem to get the DNAT portion of the iptables to work at all. Here is a very simple test: On the proxyvm, I use the following rules to redirect port 5353 to localhost, and allow the connection: iptables -t nat -I PR-QBS 1 -d 10.137.4.1 -p tcp --dport 5353 -j DNAT --to-destination 127.0.0.1 iptables -I INPUT 1 -p tcp --dport 5353 -j ACCEPT Then, on the proxyvm, I run the following command to listen on that port (no other service is running on that port): nc -l -p 5353 Finally, on the AppVM, I run the following command: nc 10.137.4.1 5353 My expectation is that the two netcats will connect, however they don't. What do I need to do to get my AppVM to talk to my ProxyVM? Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c23efb9f-f344-4523-b24d-ed8d7406723e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
On Friday, February 10, 2017 at 6:21:49 PM UTC-5, Unman wrote: > On Fri, Feb 10, 2017 at 04:10:06AM -0800, Joe Ruether wrote: > > On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > > > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > > > Hello! > > > > > > > > I am trying to set up a proxy vm that will redirect DNS requests to a > > > > local DNS server, for the purposes of adblocking. > > > > > > > > Here is the setup: > > > > > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> > > > > appvm_with_firefox > > > > > > > > I have created a proxyvm based on a debian-8 template, and have > > > > installed PiHole (https://pi-hole.net/) as an adblocker. PiHole works > > > > by starting a DNS server (dnsmasq) and rejecting any dns queries to > > > > domains that serve ads. > > > > > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 > > > > and open firefox (in the proxyvm), I can verify that the adblocker is > > > > working correctly. > > > > > > > > The issue I am having is when I used the proxyvm as the netvm for > > > > another appvm. Without any other changes, my appvm's firefox has > > > > internet access, but the adblocker has no effect. Of course, some > > > > additional setup is needed, but I'm not exactly sure how to do that. > > > > > > > > I'm not very good with iptables, and every attempt I have made to > > > > redirect DNS to 127.0.0.1 in the proxyvm has failed (and caused both > > > > the proxyvm and the appvm to lose the ability to browse). Here are the > > > > commands I ran (in the proxyvm): > > > > > > > > #!/bin/bash > > > > DNS=127.0.0.1 > > > > NS1=10.137.4.1 > > > > NS2=10.137.4.254 > > > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > > > > > --- > > > > > > > > I pieced this together from what I could find from the VPN > > > > documentation on the qubes website as well as the contents of > > > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any > > > > impact. > > > > > > > > So! My question is, am I going about this correctly? I think I need to > > > > modify the iptables in the proxyvm to redirect any incoming (from the > > > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > > > think I need to ensure that there are rules that allow all other > > > > traffic to pass through unhindered. > > > > > > > > Or is there a different, qubes-specific way of handling DNS that I > > > > should be using? After inspecting the sys-firewall ipconfig and > > > > iptables, it is clear that something behind-the-scenes is happening > > > > where an additional NIC is created for each attached appvm, and the > > > > iptables are being populated automatically somehow. I'm not sure how > > > > the proxyvm is supposed to get the addresses of the appvm and > > > > sys-firewall (my script above had addresses hardcoded). > > > > > > > > Thank you for any help! If I get all this working, I'm planning on > > > > making a Salt file that can create the adblocking proxyvm. > > > > > > > > > > I don't see any reason why this shouldn't work. > > > I wouldn't be so specific in the nat rules but that's your call. Just > > > protocol and post would suffice. > > > > > > One obvious point is that you are ADDING those rules to the end of the > > > PR-QBS chain without flushing it first. If you already have redirect > > > rules there they will trigger first. > > > What does your nat table look like after you run that script? > > > > > > Another point may be that you don't have an incoming rule in the INPUT > > > chain allowing inbound traffic to the DNS ports. Unless you've changed > > > this the default rule will block inbound traffic from any vif interface. > > > So you need to ensure you are allowing that traffic with an: > > > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW > > > > > > Finally, you need to consider the effects of the qubes-firewall and > > > qubes-netwatcher services. > > > If you want to retain these you can use > > > /rw/config/qubes-firewall-user-script to override the automatic Qubes > > > configuration and insert your own iptables rules. > > > You can also use rc.local to set initial iptables rules. > > > Remember to make those files executable if you want to use them. > > > > > > Most of this is in the docs, although not easy to find. > > > > > > Hope this helps > > > > > > unman > > > > Thank you for your help, I have more information about my configuration > > be
Re: [qubes-users] Ad-blocking ProxyVM?
On Fri, Feb 10, 2017 at 04:10:06AM -0800, Joe Ruether wrote: > On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > > Hello! > > > > > > I am trying to set up a proxy vm that will redirect DNS requests to a > > > local DNS server, for the purposes of adblocking. > > > > > > Here is the setup: > > > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> > > > appvm_with_firefox > > > > > > I have created a proxyvm based on a debian-8 template, and have installed > > > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a > > > DNS server (dnsmasq) and rejecting any dns queries to domains that serve > > > ads. > > > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 > > > and open firefox (in the proxyvm), I can verify that the adblocker is > > > working correctly. > > > > > > The issue I am having is when I used the proxyvm as the netvm for another > > > appvm. Without any other changes, my appvm's firefox has internet access, > > > but the adblocker has no effect. Of course, some additional setup is > > > needed, but I'm not exactly sure how to do that. > > > > > > I'm not very good with iptables, and every attempt I have made to > > > redirect DNS to 127.0.0.1 in the proxyvm has failed (and caused both the > > > proxyvm and the appvm to lose the ability to browse). Here are the > > > commands I ran (in the proxyvm): > > > > > > #!/bin/bash > > > DNS=127.0.0.1 > > > NS1=10.137.4.1 > > > NS2=10.137.4.254 > > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > > > --- > > > > > > I pieced this together from what I could find from the VPN documentation > > > on the qubes website as well as the contents of > > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. > > > > > > So! My question is, am I going about this correctly? I think I need to > > > modify the iptables in the proxyvm to redirect any incoming (from the > > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > > think I need to ensure that there are rules that allow all other traffic > > > to pass through unhindered. > > > > > > Or is there a different, qubes-specific way of handling DNS that I should > > > be using? After inspecting the sys-firewall ipconfig and iptables, it is > > > clear that something behind-the-scenes is happening where an additional > > > NIC is created for each attached appvm, and the iptables are being > > > populated automatically somehow. I'm not sure how the proxyvm is supposed > > > to get the addresses of the appvm and sys-firewall (my script above had > > > addresses hardcoded). > > > > > > Thank you for any help! If I get all this working, I'm planning on making > > > a Salt file that can create the adblocking proxyvm. > > > > > > > I don't see any reason why this shouldn't work. > > I wouldn't be so specific in the nat rules but that's your call. Just > > protocol and post would suffice. > > > > One obvious point is that you are ADDING those rules to the end of the > > PR-QBS chain without flushing it first. If you already have redirect > > rules there they will trigger first. > > What does your nat table look like after you run that script? > > > > Another point may be that you don't have an incoming rule in the INPUT > > chain allowing inbound traffic to the DNS ports. Unless you've changed > > this the default rule will block inbound traffic from any vif interface. > > So you need to ensure you are allowing that traffic with an: > > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW > > > > Finally, you need to consider the effects of the qubes-firewall and > > qubes-netwatcher services. > > If you want to retain these you can use > > /rw/config/qubes-firewall-user-script to override the automatic Qubes > > configuration and insert your own iptables rules. > > You can also use rc.local to set initial iptables rules. > > Remember to make those files executable if you want to use them. > > > > Most of this is in the docs, although not easy to find. > > > > Hope this helps > > > > unman > > Thank you for your help, I have more information about my configuration > below. I am confident that I have an iptables issue, but I can't seem to > figure out which rules need to be added. > > ifconfig: > > eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:6c:01 > inet addr:10.137.2.3 Bcast:10.255.255.255 Mask:255.255.255.255 >
Re: [qubes-users] Ad-blocking ProxyVM?
On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > Hello! > > > > I am trying to set up a proxy vm that will redirect DNS requests to a local > > DNS server, for the purposes of adblocking. > > > > Here is the setup: > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox > > > > I have created a proxyvm based on a debian-8 template, and have installed > > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a > > DNS server (dnsmasq) and rejecting any dns queries to domains that serve > > ads. > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and > > open firefox (in the proxyvm), I can verify that the adblocker is working > > correctly. > > > > The issue I am having is when I used the proxyvm as the netvm for another > > appvm. Without any other changes, my appvm's firefox has internet access, > > but the adblocker has no effect. Of course, some additional setup is > > needed, but I'm not exactly sure how to do that. > > > > I'm not very good with iptables, and every attempt I have made to redirect > > DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and > > the appvm to lose the ability to browse). Here are the commands I ran (in > > the proxyvm): > > > > #!/bin/bash > > DNS=127.0.0.1 > > NS1=10.137.4.1 > > NS2=10.137.4.254 > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > --- > > > > I pieced this together from what I could find from the VPN documentation on > > the qubes website as well as the contents of > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. > > > > So! My question is, am I going about this correctly? I think I need to > > modify the iptables in the proxyvm to redirect any incoming (from the > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > think I need to ensure that there are rules that allow all other traffic to > > pass through unhindered. > > > > Or is there a different, qubes-specific way of handling DNS that I should > > be using? After inspecting the sys-firewall ipconfig and iptables, it is > > clear that something behind-the-scenes is happening where an additional NIC > > is created for each attached appvm, and the iptables are being populated > > automatically somehow. I'm not sure how the proxyvm is supposed to get the > > addresses of the appvm and sys-firewall (my script above had addresses > > hardcoded). > > > > Thank you for any help! If I get all this working, I'm planning on making a > > Salt file that can create the adblocking proxyvm. > > > > I don't see any reason why this shouldn't work. > I wouldn't be so specific in the nat rules but that's your call. Just > protocol and post would suffice. > > One obvious point is that you are ADDING those rules to the end of the > PR-QBS chain without flushing it first. If you already have redirect > rules there they will trigger first. > What does your nat table look like after you run that script? > > Another point may be that you don't have an incoming rule in the INPUT > chain allowing inbound traffic to the DNS ports. Unless you've changed > this the default rule will block inbound traffic from any vif interface. > So you need to ensure you are allowing that traffic with an: > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW > > Finally, you need to consider the effects of the qubes-firewall and > qubes-netwatcher services. > If you want to retain these you can use > /rw/config/qubes-firewall-user-script to override the automatic Qubes > configuration and insert your own iptables rules. > You can also use rc.local to set initial iptables rules. > Remember to make those files executable if you want to use them. > > Most of this is in the docs, although not easy to find. > > Hope this helps > > unman Thank you for your help, I have more information about my configuration below. I am confident that I have an iptables issue, but I can't seem to figure out which rules need to be added. ifconfig: eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:6c:01 inet addr:10.137.2.3 Bcast:10.255.255.255 Mask:255.255.255.255 inet6 addr: fe80::216:3eff:fe5e:6c01/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6830 errors:0 dropped:0 overruns:0 frame:0 TX packets:6436 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txq
Re: [qubes-users] Ad-blocking ProxyVM?
On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > Hello! > > I am trying to set up a proxy vm that will redirect DNS requests to a local > DNS server, for the purposes of adblocking. > > Here is the setup: > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox > > I have created a proxyvm based on a debian-8 template, and have installed > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a DNS > server (dnsmasq) and rejecting any dns queries to domains that serve ads. > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and > open firefox (in the proxyvm), I can verify that the adblocker is working > correctly. > > The issue I am having is when I used the proxyvm as the netvm for another > appvm. Without any other changes, my appvm's firefox has internet access, but > the adblocker has no effect. Of course, some additional setup is needed, but > I'm not exactly sure how to do that. > > I'm not very good with iptables, and every attempt I have made to redirect > DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and > the appvm to lose the ability to browse). Here are the commands I ran (in the > proxyvm): > > #!/bin/bash > DNS=127.0.0.1 > NS1=10.137.4.1 > NS2=10.137.4.254 > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > --- > > I pieced this together from what I could find from the VPN documentation on > the qubes website as well as the contents of > /usr/lib/qubes/qubes-setup-dnat-to-ns > > Running the qubes-setup-dnat-to-dns script by itself after changing > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. > > So! My question is, am I going about this correctly? I think I need to modify > the iptables in the proxyvm to redirect any incoming (from the appvm) DNS > queries to 127.0.0.1, while still allowing outgoing (to the internet, from > the proxyvm) DNS queries to get out. Along with this, I think I need to > ensure that there are rules that allow all other traffic to pass through > unhindered. > > Or is there a different, qubes-specific way of handling DNS that I should be > using? After inspecting the sys-firewall ipconfig and iptables, it is clear > that something behind-the-scenes is happening where an additional NIC is > created for each attached appvm, and the iptables are being populated > automatically somehow. I'm not sure how the proxyvm is supposed to get the > addresses of the appvm and sys-firewall (my script above had addresses > hardcoded). > > Thank you for any help! If I get all this working, I'm planning on making a > Salt file that can create the adblocking proxyvm. > I don't see any reason why this shouldn't work. I wouldn't be so specific in the nat rules but that's your call. Just protocol and post would suffice. One obvious point is that you are ADDING those rules to the end of the PR-QBS chain without flushing it first. If you already have redirect rules there they will trigger first. What does your nat table look like after you run that script? Another point may be that you don't have an incoming rule in the INPUT chain allowing inbound traffic to the DNS ports. Unless you've changed this the default rule will block inbound traffic from any vif interface. So you need to ensure you are allowing that traffic with an: iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW Finally, you need to consider the effects of the qubes-firewall and qubes-netwatcher services. If you want to retain these you can use /rw/config/qubes-firewall-user-script to override the automatic Qubes configuration and insert your own iptables rules. You can also use rc.local to set initial iptables rules. Remember to make those files executable if you want to use them. Most of this is in the docs, although not easy to find. Hope this helps unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170209152124.GA1291%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
