From c3a1c7637f4fc1f98c503c1af56db44e15059f8c Mon Sep 17 00:00:00 2001 From: Giulio Date: Mon, 16 Aug 2021 22:22:25 +0200 Subject: [PATCH] Project update --- Readme.md | 98 ++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 68 insertions(+), 30 deletions(-) diff --git a/Readme.md b/Readme.md index d417f67..0a6d002 100644 --- a/Readme.md +++ b/Readme.md @@ -13,6 +13,8 @@ First develop and document the part related to manual port forwarding since it i 1. https://github.com/QubesOS/qubes-issues/issues/3556 2. https://www.reddit.com/r/Qubes/comments/8cb57i/how_to_achieve_qube_to_qube_communication_port/ 3. https://github.com/QubesOS/qubes-issues/issues/6225 + 4. https://github.com/QubesOS/qubes-issues/issues/5031 + 5. https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248 ## Development ### Background @@ -23,10 +25,11 @@ First develop and document the part related to manual port forwarding since it i * https://www.qubes-os.org/doc/config-files/ ### Dev Repositories - * https://git.lsd.cat/Qubes/core-admin - * https://git.lsd.cat/Qubes/core-admin-client - * https://git.lsd.cat/Qubes/core-agent-linux + * https://github.com/lsd-cat/qubes-core-admin + * https://github.com/lsd-cat/qubes-core-admin-client + * https://github.com/lsd-cat/qubes-core-agent-linux +All changes are in the `gsoc-port-forwarding` branch of each repo. ### Main components involved 1. [Firewall GUI in "Settings" (qubes-manager)](https://github.com/QubesOS/qubes-manager/blob/master/qubesmanager/firewall.py) @@ -133,7 +136,9 @@ Of course `expire=` and `comment=` are optional fields. example https server rule -``` +```Sorry. We’re having trouble getting your pages back. + +We are having trouble restoring your last browsing session. Select Restore Session to try again. ### Proposal chart ###### The main distinction between internal and external port forwarding is: @@ -165,53 +170,86 @@ options as the point above here. Here there is the need to resolve the full network chain for external port forwarding. From here it is possible to add the respective rules to the QubesDB of each NetVM in he chain and trigger a reload event. - 4. 🚧 In `core-agent-linux/qubesagent/firewall.py` -> Here goes the logic for + 4. βœ”οΈ In `core-agent-linux/qubesagent/firewall.py` -> Here goes the logic for building the correct syntax for iptables or nft and the actual execution - 5. ❌ GUI - 6. ❌ Tests + 5. ❌ Tests + 6. ❌ GUI + Both tests and GUI have yet to be worked on. Automated tests will be written soon in the following weeks. ### Required rules #### External +The iptables backend in the firewall worker is being deprecated. If the `nft` binary is available on the target Qubes, iptables will be never involved. Thus, only `nft` rules are relevant in this context. -***srchost and srcports support yet to be written here *** -In ``: +Sample setup: ``` -iptables -t nat -A PREROUTING -i -p tcp --dport -d -j DNAT --to-destination -iptables -I FORWARD 2 -i -d -p tcp --dport -m conntrack --ctstate NEW -j ACCEPT -nft add rule ip qubes-firewall forward meta iifname ip daddr tcp dport ct state new counter accept +sys-net - 10.137.0.5 (ens6 phy with 192.168.10.20) +sys-firewall - 10.137.0.6 +personal - 10.137.0.7 ``` -In ``: +All of them are running fedora-32. -``` -iptables -t nat -A PREROUTING -i -p tcp --dport -d -j DNAT --to-destination -iptables -I FORWARD 2 -i -d -p tcp --dport -m conntrack --ctstate NEW -j ACCEPT -nft add rule ip qubes-firewall forward meta iifname ip daddr tcp dport ct state new counter accept +And assume the following rule added via qvm-firewall: + +```# qvm-firewall personal add action=forward forwardtype=external scrports=22-22 proto=tcp dstports=2222-2222 srchost=192.168.10.0/24 ``` -in ``: -``` -iptables -w -I INPUT 5 -d -p tcp --dport -m conntrack --ctstate NEW -j ACCEPT -``` - -#### Internal -In ``: +First, a table for the forwarding rules is created: ``` -iptables -t nat -A PREROUTING -i -p tcp --dport -d -j DNAT --to-destination -iptables -I FORWARD 2 -i -d -p tcp --dport -m conntrack --ctstate NEW -j ACCEPT -nft add rule ip qubes-firewall forward meta iifname ip daddr tcp dport ct state new counter accept +flush chain {family} qubes-firewall-forward prerouting +flush chain {family} qubes-firewall-forward postrouting +table {family} qubes-firewall-forward { + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + masquerade + } + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } +} ``` -in ``: +Then, if the qube is marked as 'last', meaning that it is the external qube with the physical interface the following rules are added: + ``` -iptables -w -I INPUT 5 -d -p tcp --dport -m conntrack --ctstate NEW -j ACCEPT +table {family} qubes-firewall-forward { + chain prerouting { + meta iifname "ens6" {family} saddr 192.168.10.0/24 tcp dport {{ 22 }} dnat to 10.137.0.6:2222 + } +} + +table {family} qubes-firewall { + chain forward { + meta iifname "eth0" {family} daddr 10.137.0.6 tcp dport 2222 ct state new counter accept + } +} ``` +And that is all for sys-net. + +In sys-firewall, since it is an 'internal' qube, the following rules are added instead: + +``` +table {family} qubes-firewall-forward { + chain prerouting { + meta iifname "eth0" {family} saddr 120.137.0.5 tcp dport {{ 2222 }} dnat to 10.137.0.7:2222 + } +} + +table {family} qubes-firewall { + chain forward { + meta iifname "eth0" {family} daddr 10.137.0.7 tcp dport 2222 ct state new counter accept + } +} +``` + +Lastly, some rules need to be added in the target Qube in order to accept the incoming connections. Since the target Qube does not have a running firewall worker, the method for doing this has yet to be determined. + ## Extra -### QubedDB Debugging +### QubesDB Debugging Since all firewall rules are written to the respective domains QubesDB by the `qubesd` it is essential dor debugging purposes to be able to easily read QubesDB entries. The QubesOS Project provide some useful utilities to interact with each DB. Such utilities have self explicative names and works like the respective functions used in the source code. The most useful are: