From 1a02c6a9098d441e5f10aa117a8f58c27454173e Mon Sep 17 00:00:00 2001 From: "Dr. Gerhard Weck" Date: Sun, 8 May 2022 13:13:31 +0200 Subject: [PATCH 1/6] Clarify use of IP addresses for frowarding --- user/security-in-qubes/firewall.md | 48 +++++++++++++++++------------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md index b122afca..06601340 100644 --- a/user/security-in-qubes/firewall.md +++ b/user/security-in-qubes/firewall.md @@ -268,22 +268,24 @@ Note the IP addresses you will need. **2. Route packets from the outside world to the FirewallVM** +For the following example, we assume that the physical interface eth0 in sys-net has the IP address 192.168.x.y and that the IP adress of sys-firewall is 10.137.1.z. + In the sys-net VM's Terminal, code a natting firewall rule to route traffic on the outside interface for the service to the sys-firewall VM ``` -iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.x -j DNAT --to-destination 10.137.1.x +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.y -j DNAT --to-destination 10.137.1.z ``` Code the appropriate new filtering firewall rule to allow new connections for the service ``` -iptables -I FORWARD 2 -i eth0 -d 10.137.1.x -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT +iptables -I FORWARD 2 -i eth0 -d 10.137.1.z -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT ``` > If you want to expose the service on multiple interfaces, repeat the steps described in part 1 for each interface. > In Qubes R4, at the moment ([QubesOS/qubes-issues#3644](https://github.com/QubesOS/qubes-issues/issues/3644)), nftables is also used which imply that additional rules need to be set in a `qubes-firewall` nft table with a forward chain. -`nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.x tcp dport 443 ct state new counter accept` +`nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.1.z tcp dport 443 ct state new counter accept` Verify you are cutting through the sys-net VM firewall by looking at its counters (column 2) @@ -301,7 +303,7 @@ nft list table ip qubes-firewall Send a test packet by trying to connect to the service from an external device ``` -telnet 192.168.x.x 443 +telnet 192.168.x.y 443 ``` Once you have confirmed that the counters increase, store these command in `/rw/config/rc.local` so they get set on sys-net start-up @@ -320,8 +322,8 @@ sudo nano /rw/config/rc.local # Create a new firewall natting chain for my service if iptables -w -t nat -N MY-HTTPS; then -# Add a natting rule if it did not exit (to avoid cluter if script executed multiple times) - iptables -w -t nat -A MY-HTTPS -j DNAT --to-destination 10.137.1.x +# Add a natting rule if it did not exist (to avoid clutter if script executed multiple times) + iptables -w -t nat -A MY-HTTPS -j DNAT --to-destination 10.137.1.z fi @@ -330,7 +332,7 @@ fi if ! iptables -w -t nat -n -L PREROUTING | grep --quiet MY-HTTPS; then # add a natting rule for the traffic (same reason) - iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.0.x -j MY-HTTPS + iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.y -j MY-HTTPS fi @@ -340,7 +342,7 @@ fi # Create a new firewall filtering chain for my service if iptables -w -N MY-HTTPS; then -# Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times) +# Add a filtering rule if it did not exist (to avoid clutter if script executed multiple times) iptables -w -A MY-HTTPS -s 192.168.x.0/24 -j ACCEPT fi @@ -349,7 +351,7 @@ fi if ! iptables -w -n -L FORWARD | grep --quiet MY-HTTPS; then # add a forward rule for the traffic (same reason) - iptables -w -I FORWARD 2 -d 10.137.1.x -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS + iptables -w -I FORWARD 2 -d 10.137.1.z -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS fi ~~~ @@ -364,23 +366,25 @@ fi if nft -nn list table ip qubes-firewall | grep "tcp dport 443 ct state new"; then # Add a filtering rule - nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.x tcp dport 443 ct state new counter accept + nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.1.z tcp dport 443 ct state new counter accept fi ~~~ **3. Route packets from the FirewallVM to the VM** +For the following example, we use the fact that the physical interface of sys-firewall, facing sys-net, is eth0. Furthermore, we assume that the target VM running the web server has the IP address 10.137.0.xx and that the IP adress of sys-firewall is 10.137.1.z. + In the sys-firewall VM's Terminal, code a natting firewall rule to route traffic on its outside interface for the service to the qube ``` -iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.1.x -j DNAT --to-destination 10.137.2.y +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.1.z -j DNAT --to-destination 10.137.0.xx ``` Code the appropriate new filtering firewall rule to allow new connections for the service ``` -iptables -I FORWARD 2 -i eth0 -s 192.168.x.0/24 -d 10.137.2.y -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT +iptables -I FORWARD 2 -i eth0 -s 192.168.x.0/24 -d 10.137.0.xx -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT ``` > Note: If you do not wish to limit the IP addresses connecting to the service, remove the ` -s 192.168.0.1/24 ` @@ -388,7 +392,7 @@ iptables -I FORWARD 2 -i eth0 -s 192.168.x.0/24 -d 10.137.2.y -p tcp --dport 443 > Note: On Qubes R4 ``` -nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.y tcp dport 443 ct state new counter accept +nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.xx tcp dport 443 ct state new counter accept ``` Once you have confirmed that the counters increase, store these command in `/rw/config/qubes-firewall-user-script` @@ -407,8 +411,8 @@ sudo nano /rw/config/qubes-firewall-user-script # Create a new firewall natting chain for my service if iptables -w -t nat -N MY-HTTPS; then -# Add a natting rule if it did not exit (to avoid cluter if script executed multiple times) - iptables -w -t nat -A MY-HTTPS -j DNAT --to-destination 10.137.2.y +# Add a natting rule if it did not exist (to avoid clutter if script executed multiple times) + iptables -w -t nat -A MY-HTTPS -j DNAT --to-destination 10.137.0.xx fi @@ -417,7 +421,7 @@ fi if ! iptables -w -t nat -n -L PREROUTING | grep --quiet MY-HTTPS; then # add a natting rule for the traffic (same reason) - iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.1.x -j MY-HTTPS + iptables -w -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.1.z -j MY-HTTPS fi @@ -427,7 +431,7 @@ fi # Create a new firewall filtering chain for my service if iptables -w -N MY-HTTPS; then -# Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times) +# Add a filtering rule if it did not exist (to avoid clutter if script executed multiple times) iptables -w -A MY-HTTPS -s 192.168.x.0/24 -j ACCEPT fi @@ -436,7 +440,7 @@ fi if ! iptables -w -n -L FORWARD | grep --quiet MY-HTTPS; then # add a forward rule for the traffic (same reason) - iptables -w -I FORWARD 4 -d 10.137.2.y -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS + iptables -w -I FORWARD 4 -d 10.137.0.xx -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS fi @@ -447,7 +451,7 @@ fi if ! nft -nn list table ip qubes-firewall | grep "tcp dport 443 ct state new"; then # Add a filtering rule - nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.y tcp dport 443 ct state new counter accept + nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.xx tcp dport 443 ct state new counter accept fi ~~~ @@ -458,6 +462,8 @@ Finally make this file executable (so it runs at every Firewall VM update) sudo chmod +x /rw/config/qubes-firewall-user-script ~~~ +If the service should be available to other VMs on the same system, do not forget to specifiy the additional rules described above. + **4. Allow packets into the qube to reach the service** Here no routing is required, only filtering. @@ -474,7 +480,7 @@ sudo name /rw/config/rc.local # Create a new firewall filtering chain for my service if iptables -w -N MY-HTTPS; then -# Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times) +# Add a filtering rule if it did not exist (to avoid clutter if script executed multiple times) iptables -w -A MY-HTTPS -j ACCEPT fi @@ -483,7 +489,7 @@ fi if ! iptables -w -n -L INPUT | grep --quiet MY-HTTPS; then # add a forward rule for the traffic (same reason) - iptables -w -I INPUT 5 -d 10.137.2.x -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS + iptables -w -I INPUT 5 -d 10.137.1.z -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS fi ~~~ From c86d57e44bfdfbe49efe52971530661985e8f812 Mon Sep 17 00:00:00 2001 From: "Dr. Gerhard Weck" Date: Fri, 13 May 2022 13:25:54 +0200 Subject: [PATCH 2/6] Add explanation for firewall rule in target VM Is it really the firewall address in the rule of the target VM? Or, instead, the originating address of the web access? --- user/security-in-qubes/firewall.md | 1 + 1 file changed, 1 insertion(+) diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md index 06601340..55d4155f 100644 --- a/user/security-in-qubes/firewall.md +++ b/user/security-in-qubes/firewall.md @@ -468,6 +468,7 @@ If the service should be available to other VMs on the same system, do not forge Here no routing is required, only filtering. Proceed in the same way as above but store the filtering rule in the `/rw/config/rc.local` script. +For the following example, we assume that the IP adress of sys-firewall is 10.137.1.z. ``` sudo name /rw/config/rc.local From a072318fe4bc31e3ea1d8cad54c018ebe0740f77 Mon Sep 17 00:00:00 2001 From: "Dr. Gerhard Weck" Date: Sat, 28 May 2022 13:03:29 +0200 Subject: [PATCH 3/6] IP address use for forwarding external requests --- user/security-in-qubes/firewall.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md index 55d4155f..eba39223 100644 --- a/user/security-in-qubes/firewall.md +++ b/user/security-in-qubes/firewall.md @@ -468,10 +468,10 @@ If the service should be available to other VMs on the same system, do not forge Here no routing is required, only filtering. Proceed in the same way as above but store the filtering rule in the `/rw/config/rc.local` script. -For the following example, we assume that the IP adress of sys-firewall is 10.137.1.z. +For the following example, we assume that the target VM running the web server has the IP address 10.137.0.xx ``` -sudo name /rw/config/rc.local +sudo nano /rw/config/rc.local ``` ~~~ @@ -490,7 +490,7 @@ fi if ! iptables -w -n -L INPUT | grep --quiet MY-HTTPS; then # add a forward rule for the traffic (same reason) - iptables -w -I INPUT 5 -d 10.137.1.z -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS + iptables -w -I INPUT 5 -d 10.137.0.xx -p tcp --dport 443 -m conntrack --ctstate NEW -j MY-HTTPS fi ~~~ From de87082d1e65b8f2fc98862da08d7fe5bd3b23e8 Mon Sep 17 00:00:00 2001 From: "Dr. Gerhard Weck" Date: Sat, 28 May 2022 13:06:19 +0200 Subject: [PATCH 4/6] Clarify IP address usage for forwarding --- user/security-in-qubes/firewall.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md index eba39223..9bf6993e 100644 --- a/user/security-in-qubes/firewall.md +++ b/user/security-in-qubes/firewall.md @@ -508,4 +508,4 @@ Firewall troubleshooting Firewall logs are stored in the systemd journal of the qube the firewall is running in (probably `sys-firewall`). You can view them by running `sudo journalctl -u qubes-firewall.service` in the relevant qube. -Sometimes these logs can contain useful information about errors that are preventing the firewall from behaving as you would expect. +Sometimes these logs can contain useful i nformation about errors that are preventing the firewall from behaving as you would expect. From 08c96879c589974da467b805996f79e218c1aac9 Mon Sep 17 00:00:00 2001 From: "Dr. Gerhard Weck" Date: Sat, 28 May 2022 13:08:00 +0200 Subject: [PATCH 5/6] Clarify IP address usage for forwading --- user/security-in-qubes/firewall.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md index 9bf6993e..eba39223 100644 --- a/user/security-in-qubes/firewall.md +++ b/user/security-in-qubes/firewall.md @@ -508,4 +508,4 @@ Firewall troubleshooting Firewall logs are stored in the systemd journal of the qube the firewall is running in (probably `sys-firewall`). You can view them by running `sudo journalctl -u qubes-firewall.service` in the relevant qube. -Sometimes these logs can contain useful i nformation about errors that are preventing the firewall from behaving as you would expect. +Sometimes these logs can contain useful information about errors that are preventing the firewall from behaving as you would expect. From e3e546a97ae65b3462855221a9bd01f7151f3163 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 30 May 2022 15:30:36 -0700 Subject: [PATCH 6/6] Fix typos --- user/security-in-qubes/firewall.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md index eba39223..0ac04125 100644 --- a/user/security-in-qubes/firewall.md +++ b/user/security-in-qubes/firewall.md @@ -268,7 +268,7 @@ Note the IP addresses you will need. **2. Route packets from the outside world to the FirewallVM** -For the following example, we assume that the physical interface eth0 in sys-net has the IP address 192.168.x.y and that the IP adress of sys-firewall is 10.137.1.z. +For the following example, we assume that the physical interface eth0 in sys-net has the IP address 192.168.x.y and that the IP address of sys-firewall is 10.137.1.z. In the sys-net VM's Terminal, code a natting firewall rule to route traffic on the outside interface for the service to the sys-firewall VM @@ -373,7 +373,7 @@ fi **3. Route packets from the FirewallVM to the VM** -For the following example, we use the fact that the physical interface of sys-firewall, facing sys-net, is eth0. Furthermore, we assume that the target VM running the web server has the IP address 10.137.0.xx and that the IP adress of sys-firewall is 10.137.1.z. +For the following example, we use the fact that the physical interface of sys-firewall, facing sys-net, is eth0. Furthermore, we assume that the target VM running the web server has the IP address 10.137.0.xx and that the IP address of sys-firewall is 10.137.1.z. In the sys-firewall VM's Terminal, code a natting firewall rule to route traffic on its outside interface for the service to the qube @@ -462,7 +462,7 @@ Finally make this file executable (so it runs at every Firewall VM update) sudo chmod +x /rw/config/qubes-firewall-user-script ~~~ -If the service should be available to other VMs on the same system, do not forget to specifiy the additional rules described above. +If the service should be available to other VMs on the same system, do not forget to specify the additional rules described above. **4. Allow packets into the qube to reach the service**