Pi-hole - set networking

2024-10-01 01:25:41 -04:00 · 2022-08-05 14:07:16 +00:00 · 2022-08-05 14:07:16 +00:00 · dec10e8881
commit dec10e8881
parent 50fe621d86
3 changed files with 44 additions and 0 deletions
--- a/pihole/install.sls
+++ b/pihole/install.sls
@ -88,4 +88,35 @@ Pihole-setup:
  cmd.run:
    - name: '/root/pi-hole/automated\ install/basic-install.sh --unattended'

+/rw/config/qubes-firewall-user-script:
+  file.append:
+    text:
+      - nft flush chain nat PR-QBS
+      - nft insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+      - nft insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
+
+/rw/config/qubes-firewall.d/update_nft.sh:
+  file.managed:
+    - source:
+      - salt://pihole/update_nft.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/network-hooks.d/internalise.sh:
+  file.managed:
+    - source:
+      - salt://pihole/internalise.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/etc/dnsmasq.conf:
+  file.prepend:
+    - text:
+      - interface=lo
+      - bind-interfaces
+
 {% endif %}
--- a/pihole/internalise.sh
+++ b/pihole/internalise.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+/rw/config/qubes-firewall-user-script
+find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;
--- a/pihole/update_nft.sh
+++ b/pihole/update_nft.sh
@ -0,0 +1,10 @@
+cat /rw/config/qubes-firewall.d/update_nft.sh
+#!/bin/sh
+get_handle(){
+local my_handle=$( nft -a list table $1|awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}' )
+echo $my_handle
+}
+
+handle=$(get_handle filter)
+nft add rule filter INPUT position $handle iifname "vif*" tcp dport 53 accept
+nft add rule filter INPUT position $handle iifname "vif*" udp dport 53 accept