Home Explore Help
Sign In
Qubes
/
gsoc
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 76b877f65b
Branches Tags
gsoc
/
mails
/
20210817-Re_GSoC Port Forwarding-14371.html

20210817-Re_GSoC Port Forwarding-14371.html 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 
  1. <html>
    2. 

  2. <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    3. 

  3. <title>Re: GSoC Port Forwarding</title>
    4. 

  4. <link rel="important stylesheet" href="">
    5. 

  5. <style>div.headerdisplayname {font-weight:bold;}
    6. 

  6. </style></head>
    7. 

  7. <body>
    8. 

  8. <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>17/08/2021, 01:50</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
    9. 

  9. <div class="moz-text-plain" wrap=true graphical-quote=true style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode"><pre wrap class="moz-quote-pre">
    10. 

  10. On Sun, Aug 15, 2021 at 05:35:37PM +0200, Giulio wrote:
    11. 

  11. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
    12. 

  12. <span class="moz-txt-citetags">&gt; </span>Hello,
    13. 

  13. <span class="moz-txt-citetags">&gt; </span>Thank you for you fast reply.
    14. 

  14. <span class="moz-txt-citetags">&gt; </span>
    15. 

  15. <span class="moz-txt-citetags">&gt; </span>Il 14/08/2021 23:43, Marek Marczykowski-Górecki ha scritto:
    16. 

  16. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
    17. 

  17. <span class="moz-txt-citetags">&gt; &gt; </span>
    18. 

  18. <span class="moz-txt-citetags">&gt; &gt; </span>As for the nft syntax, I think iptables-translate tool can help you
    19. 

  19. <span class="moz-txt-citetags">&gt; &gt; </span>(part of the iptables-nft package).
    20. 

  20. <span class="moz-txt-citetags">&gt; &gt; </span>See <a class="moz-txt-link-freetext" href="https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables">https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables</a>
    21. 

  21. <span class="moz-txt-citetags">&gt; &gt; </span>
    22. 

  22. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
    23. 

  23. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>You can see in [4] how I organized the forwarding mechanism. All the
    24. 

  24. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>necessary information, as well as ipv4/ipv6 support should already be in
    25. 

  25. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>the 'prepare_forward_rules' function meaning that only the actual
    26. 

  26. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>building syntax is left.
    27. 

  27. </pre></blockquote><pre wrap class="moz-quote-pre">
    28. 

  28. <span class="moz-txt-citetags">&gt; &gt; </span>
    29. 

  29. </pre></blockquote><pre wrap class="moz-quote-pre">
    30. 

  30. <span class="moz-txt-citetags">&gt; </span>
    31. 

  31. <span class="moz-txt-citetags">&gt; </span>I have tried to write the external nft rules as well the extarnal ones,
    32. 

  32. <span class="moz-txt-citetags">&gt; </span>with the exception of the destination domain.
    33. 

  33. <span class="moz-txt-citetags">&gt; </span>
    34. 

  34. <span class="moz-txt-citetags">&gt; </span>Assume the following setup:
    35. 

  35. <span class="moz-txt-citetags">&gt; </span>sys-net - 10.137.0.5 (ens6 phy with 192.168.10.20)
    36. 

  36. <span class="moz-txt-citetags">&gt; </span>sys-firewall - 10.137.0.6
    37. 

  37. <span class="moz-txt-citetags">&gt; </span>personal - 10.137.0.7
    38. 

  38. <span class="moz-txt-citetags">&gt; </span>
    39. 

  39. <span class="moz-txt-citetags">&gt; </span>All of them are running fedora-32.
    40. 

  40. <span class="moz-txt-citetags">&gt; </span>
    41. 

  41. <span class="moz-txt-citetags">&gt; </span>And assume the following rule added via qvm-firewall:
    42. 

  42. <span class="moz-txt-citetags">&gt; </span># qvm-firewall personal add action=forward forwardtype=external
    43. 

  43. <span class="moz-txt-citetags">&gt; </span>scrports=22-22 proto=tcp dstports=2222-2222 srchost=192.168.10.0/24
    44. 

  44. <span class="moz-txt-citetags">&gt; </span>.
    45. 

  45. <span class="moz-txt-citetags">&gt; </span>First, a table for the forwarding rules is created:
    46. 

  46. <span class="moz-txt-citetags">&gt; </span>
    47. 

  47. <span class="moz-txt-citetags">&gt; </span>flush chain {family} qubes-firewall-forward prerouting
    48. 

  48. <span class="moz-txt-citetags">&gt; </span>flush chain {family} qubes-firewall-forward postrouting
    49. 

  49. <span class="moz-txt-citetags">&gt; </span>table {family} qubes-firewall-forward {
    50. 

  50. <span class="moz-txt-citetags">&gt; </span>	chain postrouting {
    51. 

  51. <span class="moz-txt-citetags">&gt; </span>		type nat hook postrouting priority srcnat; policy accept;
    52. 

  52. <span class="moz-txt-citetags">&gt; </span>		masquerade
    53. 

  53. </pre></blockquote><pre wrap class="moz-quote-pre">
    54. 

  54. 

  55. I think this is too broad - this will hide the source address of all
    56. 

  56. incoming connections - something that shouldn't be needed.
    57. 

  57. masquerade is necessary for outgoing traffic only, but it's there
    58. 

  58. already in default setup (via iptables...)
    59. 

  59. 

  60. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
    61. 

  61. <span class="moz-txt-citetags">&gt; </span>	}
    62. 

  62. <span class="moz-txt-citetags">&gt; </span>	chain prerouting {
    63. 

  63. <span class="moz-txt-citetags">&gt; </span>		type nat hook prerouting priority dstnat; policy accept;
    64. 

  64. <span class="moz-txt-citetags">&gt; </span>        }
    65. 

  65. <span class="moz-txt-citetags">&gt; </span>}
    66. 

  66. <span class="moz-txt-citetags">&gt; </span>
    67. 

  67. <span class="moz-txt-citetags">&gt; </span>Then, if the qube is marked as 'last', meaning that it is the external
    68. 

  68. <span class="moz-txt-citetags">&gt; </span>qube with the physical interface the following rules are added:
    69. 

  69. <span class="moz-txt-citetags">&gt; </span>
    70. 

  70. <span class="moz-txt-citetags">&gt; </span>table {family} qubes-firewall-forward {
    71. 

  71. <span class="moz-txt-citetags">&gt; </span>	chain prerouting {
    72. 

  72. <span class="moz-txt-citetags">&gt; </span>		meta iifname "ens6" {family} saddr 192.168.10.0/24 tcp dport {{ 22 }}
    73. 

  73. <span class="moz-txt-citetags">&gt; </span>dnat to 10.137.0.6:2222
    74. 

  74. <span class="moz-txt-citetags">&gt; </span>	}
    75. 

  75. <span class="moz-txt-citetags">&gt; </span>}
    76. 

  76. <span class="moz-txt-citetags">&gt; </span>
    77. 

  77. <span class="moz-txt-citetags">&gt; </span>table {family} qubes-firewall {
    78. 

  78. <span class="moz-txt-citetags">&gt; </span>	chain forward {
    79. 

  79. <span class="moz-txt-citetags">&gt; </span>		meta iifname "eth0" {family} daddr 10.137.0.6 tcp dport 2222 ct state
    80. 

  80. <span class="moz-txt-citetags">&gt; </span>new counter accept
    81. 

  81. </pre></blockquote><pre wrap class="moz-quote-pre">
    82. 

  82. 

  83. iifname "eth0" ? Should be rather ens6.
    84. 

  84. 

  85. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
    86. 

  86. <span class="moz-txt-citetags">&gt; </span>	}
    87. 

  87. <span class="moz-txt-citetags">&gt; </span>}
    88. 

  88. <span class="moz-txt-citetags">&gt; </span>
    89. 

  89. <span class="moz-txt-citetags">&gt; </span>And that is all for sys-net.
    90. 

  90. <span class="moz-txt-citetags">&gt; </span>
    91. 

  91. <span class="moz-txt-citetags">&gt; </span>In sys-firewall, since it is an 'internal' qube, the following rules are
    92. 

  92. <span class="moz-txt-citetags">&gt; </span>added instead:
    93. 

  93. <span class="moz-txt-citetags">&gt; </span>
    94. 

  94. <span class="moz-txt-citetags">&gt; </span>table {family} qubes-firewall-forward {
    95. 

  95. <span class="moz-txt-citetags">&gt; </span>	chain prerouting {
    96. 

  96. <span class="moz-txt-citetags">&gt; </span>		meta iifname "eth0" {family} saddr 120.137.0.5 tcp dport {{ 2222 }}
    97. 

  97. <span class="moz-txt-citetags">&gt; </span>dnat to 10.137.0.7:2222
    98. 

  98. </pre></blockquote><pre wrap class="moz-quote-pre">
    99. 

  99. 

  100. And here, if there wouldn't be masquerade for everything, you could keep
    101. 

  101. the original source addr (192.168.10.0/24)
    102. 

  102. 

  103. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
    104. 

  104. <span class="moz-txt-citetags">&gt; </span>	}
    105. 

  105. <span class="moz-txt-citetags">&gt; </span>}
    106. 

  106. <span class="moz-txt-citetags">&gt; </span>
    107. 

  107. <span class="moz-txt-citetags">&gt; </span>table {family} qubes-firewall {
    108. 

  108. <span class="moz-txt-citetags">&gt; </span>	chain forward {
    109. 

  109. <span class="moz-txt-citetags">&gt; </span>		meta iifname "eth0" {family} daddr 10.137.0.7 tcp dport 2222 ct state
    110. 

  110. <span class="moz-txt-citetags">&gt; </span>new counter accept
    111. 

  111. <span class="moz-txt-citetags">&gt; </span>	}
    112. 

  112. <span class="moz-txt-citetags">&gt; </span>}
    113. 

  113. <span class="moz-txt-citetags">&gt; </span>
    114. 

  114. <span class="moz-txt-citetags">&gt; </span>Lastly, the appropriate rules allowing incoming traffic on the selected
    115. 

  115. <span class="moz-txt-citetags">&gt; </span>port from the previous hop should be added directly yo the 'personal'
    116. 

  116. <span class="moz-txt-citetags">&gt; </span>domain. However I see that there the nft ruleset is empty, while
    117. 

  117. <span class="moz-txt-citetags">&gt; </span>iptables seems indeed to be in use. I guess that those rules are the
    118. 

  118. <span class="moz-txt-citetags">&gt; </span>ones specified in qubes-core-agent-linux/network/iptables, however I am
    119. 

  119. <span class="moz-txt-citetags">&gt; </span>wondering how we should proceed on this one?
    120. 

  120. </pre></blockquote><pre wrap class="moz-quote-pre">
    121. 

  121. 

  122. Ok, this indeed is an issue with mixed iptables / nft usage. For the
    123. 

  123. purpose of this project, since there isn't much time left, you can
    124. 

  124. simply stop 'iptables' service in the 'personal' VM - and document
    125. 

  125. this as a manual step needed. This will become unnecessary when iptables
    126. 

  126. rules will be migrated to nft. 
    127. 

  127. 

  128. But there is also another issue: the qubes-firewall daemon is currently
    129. 

  129. not started if a VM doesn't provide network. So, it isn't started in
    130. 

  130. 'personal' VM here. 
    131. 

  131. 

  132. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
    133. 

  133. <span class="moz-txt-citetags">&gt; </span>Also are you able to spot errors or something missing in the
    134. 

  134. <span class="moz-txt-citetags">&gt; </span>aforedescribed rule flow? When testing I can see the incoming connection
    135. 

  135. <span class="moz-txt-citetags">&gt; </span>on port 22 of the physical interface of sys-net, but then I am losing
    136. 

  136. <span class="moz-txt-citetags">&gt; </span>track of the connection after that...
    137. 

  137. </pre></blockquote><pre wrap class="moz-quote-pre">
    138. 

  138. 

  139. See above - the interface name. You may also like to see this:
    140. 

  140. <a class="moz-txt-link-freetext" href="https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing">https://wiki.nftables.org/wiki-nftables/index.php/Ruleset_debug/tracing</a>
    141. 

  141. 

  142. <div class="moz-txt-sig">-- 
    143. 

  143. Best Regards,
    144. 

  144. Marek Marczykowski-Górecki
    145. 

  145. Invisible Things Lab
    146. 

  146. </div></pre></div></body>
    147. 

  147. </html>
    148. 

  148. </table></div>
    149.