111 lines
5.4 KiB
HTML
111 lines
5.4 KiB
HTML
|
<html>
|
||
|
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
||
|
<title>Re: GSoC Port Forwarding</title>
|
||
|
<link rel="important stylesheet" href="">
|
||
|
<style>div.headerdisplayname {font-weight:bold;}
|
||
|
</style></head>
|
||
|
<body>
|
||
|
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>15/08/2021, 17:35</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret <frederic.pierret@qubes-os.org></td></tr></table><br>
|
||
|
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hello,
|
||
|
<br>Thank you for you fast reply.
|
||
|
<br>
|
||
|
<br>Il 14/08/2021 23:43, Marek Marczykowski-Górecki ha scritto:
|
||
|
<br><blockquote type=cite style="color: #007cff;">
|
||
|
<br>As for the nft syntax, I think iptables-translate tool can help you
|
||
|
<br>(part of the iptables-nft package).
|
||
|
<br>See <a class="moz-txt-link-freetext" href="https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables">https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables</a>
|
||
|
<br>
|
||
|
<br><blockquote type=cite style="color: #007cff;">You can see in [4] how I organized the forwarding mechanism. All the
|
||
|
<br>necessary information, as well as ipv4/ipv6 support should already be in
|
||
|
<br>the 'prepare_forward_rules' function meaning that only the actual
|
||
|
<br>building syntax is left.
|
||
|
<br></blockquote>
|
||
|
<br></blockquote>
|
||
|
<br>I have tried to write the external nft rules as well the extarnal ones,
|
||
|
with the exception of the destination domain.
|
||
|
<br>
|
||
|
<br>Assume the following setup:
|
||
|
<br>sys-net - 10.137.0.5 (ens6 phy with 192.168.10.20)
|
||
|
<br>sys-firewall - 10.137.0.6
|
||
|
<br>personal - 10.137.0.7
|
||
|
<br>
|
||
|
<br>All of them are running fedora-32.
|
||
|
<br>
|
||
|
<br>And assume the following rule added via qvm-firewall:
|
||
|
<br># qvm-firewall personal add action=forward forwardtype=external
|
||
|
scrports=22-22 proto=tcp dstports=2222-2222 srchost=192.168.10.0/24
|
||
|
<br>.
|
||
|
<br>First, a table for the forwarding rules is created:
|
||
|
<br>
|
||
|
<br>flush chain {family} qubes-firewall-forward prerouting
|
||
|
<br>flush chain {family} qubes-firewall-forward postrouting
|
||
|
<br>table {family} qubes-firewall-forward {
|
||
|
<br> chain postrouting {
|
||
|
<br> type nat hook postrouting priority srcnat; policy accept;
|
||
|
<br> masquerade
|
||
|
<br> }
|
||
|
<br> chain prerouting {
|
||
|
<br> type nat hook prerouting priority dstnat; policy accept;
|
||
|
<br> }
|
||
|
<br>}
|
||
|
<br>
|
||
|
<br>Then, if the qube is marked as 'last', meaning that it is the external
|
||
|
qube with the physical interface the following rules are added:
|
||
|
<br>
|
||
|
<br>table {family} qubes-firewall-forward {
|
||
|
<br> chain prerouting {
|
||
|
<br> meta iifname "ens6" {family} saddr 192.168.10.0/24 tcp dport {{ 22 }}
|
||
|
dnat to 10.137.0.6:2222
|
||
|
<br> }
|
||
|
<br>}
|
||
|
<br>
|
||
|
<br>table {family} qubes-firewall {
|
||
|
<br> chain forward {
|
||
|
<br> meta iifname "eth0" {family} daddr 10.137.0.6 tcp dport 2222 ct state
|
||
|
new counter accept
|
||
|
<br> }
|
||
|
<br>}
|
||
|
<br>
|
||
|
<br>And that is all for sys-net.
|
||
|
<br>
|
||
|
<br>In sys-firewall, since it is an 'internal' qube, the following rules are
|
||
|
added instead:
|
||
|
<br>
|
||
|
<br>table {family} qubes-firewall-forward {
|
||
|
<br> chain prerouting {
|
||
|
<br> meta iifname "eth0" {family} saddr 120.137.0.5 tcp dport {{ 2222 }}
|
||
|
dnat to 10.137.0.7:2222
|
||
|
<br> }
|
||
|
<br>}
|
||
|
<br>
|
||
|
<br>table {family} qubes-firewall {
|
||
|
<br> chain forward {
|
||
|
<br> meta iifname "eth0" {family} daddr 10.137.0.7 tcp dport 2222 ct state
|
||
|
new counter accept
|
||
|
<br> }
|
||
|
<br>}
|
||
|
<br>
|
||
|
<br>Lastly, the appropriate rules allowing incoming traffic on the selected
|
||
|
port from the previous hop should be added directly yo the 'personal'
|
||
|
domain. However I see that there the nft ruleset is empty, while
|
||
|
iptables seems indeed to be in use. I guess that those rules are the
|
||
|
ones specified in qubes-core-agent-linux/network/iptables, however I am
|
||
|
wondering how we should proceed on this one?
|
||
|
<br>
|
||
|
<br>Also are you able to spot errors or something missing in the
|
||
|
aforedescribed rule flow? When testing I can see the incoming connection
|
||
|
on port 22 of the physical interface of sys-net, but then I am losing
|
||
|
track of the connection after that...
|
||
|
<br>
|
||
|
<br>
|
||
|
<br><blockquote type=cite style="color: #007cff;">In both cases, the code will need some tests of course.
|
||
|
<br>
|
||
|
<br></blockquote>
|
||
|
<br>As soon as everything seems to work with my manual test, I will start
|
||
|
progressively writing the automated tests.
|
||
|
<br>
|
||
|
<br>Cheers
|
||
|
<br>Giulio
|
||
|
<br></div></body>
|
||
|
</html>
|
||
|
</table></div>
|