123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 |
- <html>
- <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
- <title>Re: GSoC Port Forwarding</title>
- <link rel="important stylesheet" href="">
- <style>div.headerdisplayname {font-weight:bold;}
- </style></head>
- <body>
- <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>17/08/2021, 01:50</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret <frederic.pierret@qubes-os.org></td></tr></table><br>
- <div class="moz-text-plain" wrap=true graphical-quote=true style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode"><pre wrap class="moz-quote-pre">
- On Sun, Aug 15, 2021 at 05:35:37PM +0200, Giulio wrote:
- </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> </span>Hello,
- <span class="moz-txt-citetags">> </span>Thank you for you fast reply.
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>Il 14/08/2021 23:43, Marek Marczykowski-Górecki ha scritto:
- </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> > </span>
- <span class="moz-txt-citetags">> > </span>As for the nft syntax, I think iptables-translate tool can help you
- <span class="moz-txt-citetags">> > </span>(part of the iptables-nft package).
- <span class="moz-txt-citetags">> > </span>See <a class="moz-txt-link-freetext" href="https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables">https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables</a>
- <span class="moz-txt-citetags">> > </span>
- </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> > > </span>You can see in [4] how I organized the forwarding mechanism. All the
- <span class="moz-txt-citetags">> > > </span>necessary information, as well as ipv4/ipv6 support should already be in
- <span class="moz-txt-citetags">> > > </span>the 'prepare_forward_rules' function meaning that only the actual
- <span class="moz-txt-citetags">> > > </span>building syntax is left.
- </pre></blockquote><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> > </span>
- </pre></blockquote><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>I have tried to write the external nft rules as well the extarnal ones,
- <span class="moz-txt-citetags">> </span>with the exception of the destination domain.
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>Assume the following setup:
- <span class="moz-txt-citetags">> </span>sys-net - 10.137.0.5 (ens6 phy with 192.168.10.20)
- <span class="moz-txt-citetags">> </span>sys-firewall - 10.137.0.6
- <span class="moz-txt-citetags">> </span>personal - 10.137.0.7
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>All of them are running fedora-32.
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>And assume the following rule added via qvm-firewall:
- <span class="moz-txt-citetags">> </span># qvm-firewall personal add action=forward forwardtype=external
- <span class="moz-txt-citetags">> </span>scrports=22-22 proto=tcp dstports=2222-2222 srchost=192.168.10.0/24
- <span class="moz-txt-citetags">> </span>.
- <span class="moz-txt-citetags">> </span>First, a table for the forwarding rules is created:
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>flush chain {family} qubes-firewall-forward prerouting
- <span class="moz-txt-citetags">> </span>flush chain {family} qubes-firewall-forward postrouting
- <span class="moz-txt-citetags">> </span>table {family} qubes-firewall-forward {
- <span class="moz-txt-citetags">> </span> chain postrouting {
- <span class="moz-txt-citetags">> </span> type nat hook postrouting priority srcnat; policy accept;
- <span class="moz-txt-citetags">> </span> masquerade
- </pre></blockquote><pre wrap class="moz-quote-pre">
- I think this is too broad - this will hide the source address of all
- incoming connections - something that shouldn't be needed.
- masquerade is necessary for outgoing traffic only, but it's there
- already in default setup (via iptables...)
- </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> </span> }
- <span class="moz-txt-citetags">> </span> chain prerouting {
- <span class="moz-txt-citetags">> </span> type nat hook prerouting priority dstnat; policy accept;
- <span class="moz-txt-citetags">> </span> }
- <span class="moz-txt-citetags">> </span>}
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>Then, if the qube is marked as 'last', meaning that it is the external
- <span class="moz-txt-citetags">> </span>qube with the physical interface the following rules are added:
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>table {family} qubes-firewall-forward {
- <span class="moz-txt-citetags">> </span> chain prerouting {
- <span class="moz-txt-citetags">> </span> meta iifname "ens6" {family} saddr 192.168.10.0/24 tcp dport {{ 22 }}
- <span class="moz-txt-citetags">> </span>dnat to 10.137.0.6:2222
- <span class="moz-txt-citetags">> </span> }
- <span class="moz-txt-citetags">> </span>}
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>table {family} qubes-firewall {
- <span class="moz-txt-citetags">> </span> chain forward {
- <span class="moz-txt-citetags">> </span> meta iifname "eth0" {family} daddr 10.137.0.6 tcp dport 2222 ct state
- <span class="moz-txt-citetags">> </span>new counter accept
- </pre></blockquote><pre wrap class="moz-quote-pre">
- iifname "eth0" ? Should be rather ens6.
- </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> </span> }
- <span class="moz-txt-citetags">> </span>}
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>And that is all for sys-net.
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>In sys-firewall, since it is an 'internal' qube, the following rules are
- <span class="moz-txt-citetags">> </span>added instead:
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>table {family} qubes-firewall-forward {
- <span class="moz-txt-citetags">> </span> chain prerouting {
- <span class="moz-txt-citetags">> </span> meta iifname "eth0" {family} saddr 120.137.0.5 tcp dport {{ 2222 }}
- <span class="moz-txt-citetags">> </span>dnat to 10.137.0.7:2222
- </pre></blockquote><pre wrap class="moz-quote-pre">
- And here, if there wouldn't be masquerade for everything, you could keep
- the original source addr (192.168.10.0/24)
- </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> </span> }
- <span class="moz-txt-citetags">> </span>}
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>table {family} qubes-firewall {
- <span class="moz-txt-citetags">> </span> chain forward {
- <span class="moz-txt-citetags">> </span> meta iifname "eth0" {family} daddr 10.137.0.7 tcp dport 2222 ct state
- <span class="moz-txt-citetags">> </span>new counter accept
- <span class="moz-txt-citetags">> </span> }
- <span class="moz-txt-citetags">> </span>}
- <span class="moz-txt-citetags">> </span>
- <span class="moz-txt-citetags">> </span>Lastly, the appropriate rules allowing incoming traffic on the selected
- <span class="moz-txt-citetags">> </span>port from the previous hop should be added directly yo the 'personal'
- <span class="moz-txt-citetags">> </span>domain. However I see that there the nft ruleset is empty, while
- <span class="moz-txt-citetags">> </span>iptables seems indeed to be in use. I guess that those rules are the
- <span class="moz-txt-citetags">> </span>ones specified in qubes-core-agent-linux/network/iptables, however I am
- <span class="moz-txt-citetags">> </span>wondering how we should proceed on this one?
- </pre></blockquote><pre wrap class="moz-quote-pre">
- Ok, this indeed is an issue with mixed iptables / nft usage. For the
- purpose of this project, since there isn't much time left, you can
- simply stop 'iptables' service in the 'personal' VM - and document
- this as a manual step needed. This will become unnecessary when iptables
- rules will be migrated to nft.
- But there is also another issue: the qubes-firewall daemon is currently
- not started if a VM doesn't provide network. So, it isn't started in
- 'personal' VM here.
- </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
- <span class="moz-txt-citetags">> </span>Also are you able to spot errors or something missing in the
- <span class="moz-txt-citetags">> </span>aforedescribed rule flow? When testing I can see the incoming connection
- <span class="moz-txt-citetags">> </span>on port 22 of the physical interface of sys-net, but then I am losing
- <span class="moz-txt-citetags">> </span>track of the connection after that...
- </pre></blockquote><pre wrap class="moz-quote-pre">
- See above - the interface name. You may also like to see this:
- <a class="moz-txt-link-freetext" href="https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing">https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing</a>
- <div class="moz-txt-sig">--
- Best Regards,
- Marek Marczykowski-Górecki
- Invisible Things Lab
- </div></pre></div></body>
- </html>
- </table></div>
|