From dec10e8881c3316df0953a3f7cf36b9eca77ce70 Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Fri, 5 Aug 2022 14:07:16 +0000
Subject: [PATCH] Pi-hole - set networking

---
 pihole/install.sls    | 31 +++++++++++++++++++++++++++++++
 pihole/internalise.sh |  3 +++
 pihole/update_nft.sh  | 10 ++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 pihole/internalise.sh
 create mode 100644 pihole/update_nft.sh

diff --git a/pihole/install.sls b/pihole/install.sls
index 5acb132..6acb715 100644
--- a/pihole/install.sls
+++ b/pihole/install.sls
@@ -88,4 +88,35 @@ Pihole-setup:
   cmd.run:
     - name: '/root/pi-hole/automated\ install/basic-install.sh --unattended'
 
+/rw/config/qubes-firewall-user-script:
+  file.append:
+    text:
+      - nft flush chain nat PR-QBS
+      - nft insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+      - nft insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
+
+/rw/config/qubes-firewall.d/update_nft.sh:
+  file.managed:
+    - source:
+      - salt://pihole/update_nft.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/network-hooks.d/internalise.sh:
+  file.managed:
+    - source:
+      - salt://pihole/internalise.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/etc/dnsmasq.conf:
+  file.prepend:
+    - text:
+      - interface=lo
+      - bind-interfaces
+
 {% endif %}
diff --git a/pihole/internalise.sh b/pihole/internalise.sh
new file mode 100644
index 0000000..0c49c78
--- /dev/null
+++ b/pihole/internalise.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+/rw/config/qubes-firewall-user-script
+find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;
diff --git a/pihole/update_nft.sh b/pihole/update_nft.sh
new file mode 100644
index 0000000..e9a26c3
--- /dev/null
+++ b/pihole/update_nft.sh
@@ -0,0 +1,10 @@
+cat /rw/config/qubes-firewall.d/update_nft.sh
+#!/bin/sh
+get_handle(){
+local my_handle=$( nft -a list table $1|awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}' )
+echo $my_handle
+}
+
+handle=$(get_handle filter)
+nft add rule filter INPUT position $handle iifname "vif*" tcp dport 53 accept
+nft add rule filter INPUT position $handle iifname "vif*" udp dport 53 accept