refactor: pihole nft rules for Qubes 4.2

This commit is contained in:
Ben Grande 2023-12-26 19:46:35 +01:00
parent 224d2d5f69
commit 6a551eba67
9 changed files with 56 additions and 143 deletions

View File

@ -0,0 +1,7 @@
# SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
# vim: ft=dnsmasq
interface=lo
bind-interfaces

View File

@ -7,4 +7,9 @@
set -eu
nft -f /rw/config/network-hooks.d/flush
nft -f /rw/config/qubes-firewall.d/50-sys-pihole
for vif in /proc/sys/net/ipv4/conf/vif*/route_localnet; do
test -w "${vif}" || continue
echo 1 | tee "${vif}" >/dev/null
done

View File

@ -1,13 +0,0 @@
#!/usr/sbin/nft -f
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
flush chain ip qubes dnat-dns
flush chain ip6 qubes dnat-dns
insert rule ip qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
insert rule ip qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1

View File

@ -1,9 +0,0 @@
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
auto eth0
iface eth0 inet static
address
netmask 255.0.0.0
gateway

View File

@ -0,0 +1,29 @@
#!/usr/sbin/nft -f
# vim: ft=nftables
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
add chain ip6 qubes dnat-dns { type nat hook prerouting priority dstnat; policy accept; }
flush chain ip qubes dnat-dns
flush chain ip6 qubes dnat-dns
insert rule ip qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
insert rule ip qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to ::1
insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to ::1
flush chain ip qubes custom-forward
flush chain ip6 qubes custom-forward
insert rule ip qubes custom-forward tcp dport 53 drop
insert rule ip qubes custom-forward udp dport 53 drop
insert rule ip6 qubes custom-forward tcp dport 53 drop
insert rule ip6 qubes custom-forward udp dport 53 drop
flush chain ip qubes custom-input
flush chain ip6 qubes custom-input
insert rule ip qubes custom-input iifname "vif*" tcp dport 53 accept
insert rule ip qubes custom-input iifname "vif*" udp dport 53 accept
insert rule ip6 qubes custom-input iifname "vif*" tcp dport 53 accept
insert rule ip6 qubes custom-input iifname "vif*" udp dport 53 accept

View File

@ -1,18 +0,0 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
set -eu
nft insert rule ip qubes custom-forward tcp dport 53 drop
nft insert rule ip qubes custom-forward udp dport 53 drop
## TODO: Is this working?
handle="$(nft -a list table qubes |
awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}')"
nft add rule ip qubes custom-input position "$handle" iifname "vif*" tcp dport 53 accept
nft add rule ip qubes custom-input position "$handle" iifname "vif*" udp dport 53 accept

View File

@ -1,15 +0,0 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
set -eu
for vif in /proc/sys/net/ipv4/conf/vif*; do
test -d "${vif}" || continue
test -f "${vif}/route_localnet" || continue
test -w "${vif}/route_localnet" || continue
echo 1 | tee "${vif}/route_localnet"
done

View File

@ -1,18 +0,0 @@
#!/usr/sbin/nft -f
# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#flush chain nat PR-QBS
#insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
#insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
flush chain ip qubes dnat-dns
flush chain ip6 qubes dnat-dns
insert rule ip qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
insert rule ip qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1

View File

@ -12,37 +12,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
include:
- dotfiles.copy-x11
{% set qubes_ip = salt['cmd.shell']('qubesdb-read /qubes-ip') %}
{% set qubes_gateway = salt['cmd.shell']('qubesdb-read /qubes-gateway') %}
"{{ slsdotpath }}-set-eth0-interface":
file.managed:
- name: /etc/network/interfaces.d/eth0
- source: salt://{{ slsdotpath }}/files/server/network/eth0
- mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-set-ip":
file.line:
- name: /etc/network/interfaces.d/eth0
- match: address
- mode: replace
- content: "address {{ qubes_ip }}"
"{{ slsdotpath }}-set-gateway":
file.line:
- name: /etc/network/interfaces.d/eth0
- match: gateway
- mode: replace
- content: "gateway {{ qubes_gateway }}"
"{{ slsdotpath }}-restart-networking":
cmd.run:
- name: systemctl restart networking
- runas: root
"{{ slsdotpath }}-updated":
pkg.uptodate:
- refresh: True
@ -71,6 +40,7 @@ include:
- php-sqlite3
- php-xml
- unzip
- bash-completion
"{{ slsdotpath }}-disable-external-admin-interface":
file.managed:
@ -152,57 +122,32 @@ include:
- cwd: '/root/pi-hole/automated install'
- runas: root
"{{ slsdotpath }}-firewall-nat":
"{{ slsdotpath }}-firewall":
file.managed:
- name: /rw/config/qubes-firewall.d/70-sys-pihole-nat
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/70-sys-pihole-nat
- name: /rw/config/qubes-firewall.d/50-sys-pihole
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-pihole
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-firewall-filter":
"{{ slsdotpath }}-network-hooks":
file.managed:
- name: /rw/config/qubes-firewall.d/50-sys-pihole-filter
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-pihole-filter
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-firewall-internalise":
file.managed:
- name: /rw/config/network-hooks.d/60-sys-pihole-internalise
- source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/60-sys-pihole-internalise
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-firewall-flush":
file.managed:
- name: /rw/config/network-hooks.d/flush.sh
- source: salt://{{ slsdotpath }}/files/server/network-hooks.d/flush.sh
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-firewall-flush-rules":
file.managed:
- name: /rw/config/network-hooks.d/flush
- source: salt://{{ slsdotpath }}/files/server/network-hooks.d/flush
- name: /rw/config/network-hooks.d/50-sys-pihole.sh
- source: salt://{{ slsdotpath }}/files/server/network-hooks.d/50-sys-pihole.sh
- mode: '0755'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-dnsmasq":
file.prepend:
- name: /etc/dnsmasq.conf
- text:
- interface=lo
- bind-interfaces
file.managed:
- name: /etc/dnsmasq.d/00-pihole.conf
- source: salt://{{ slsdotpath }}/files/server/dnsmasq.d/00-pihole.conf
- mode: '0644'
- user: root
- group: root
- makedirs: True
"{{ slsdotpath }}-desktop-application-browser":
file.managed: