[bitmask-root] Don't redirect udp/53 traffic of vpn gateways
Solution was to add a RETURN in nat/bitmask for every gateway ip.
I haven't tested the Qubes OS code path. Now if connected the nat rules look like this:
pea@linbox:pkg s iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 206 packets, 38107 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 206 packets, 38107 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 702 packets, 136K bytes)
pkts bytes target prot opt in out source destination
35 3488 bitmask 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 719 packets, 111K bytes)
pkts bytes target prot opt in out source destination
34 3448 bitmask_postrouting 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain bitmask (1 references)
pkts bytes target prot opt in out source destination
1 42 RETURN 0 -- * * 0.0.0.0/0 163.172.211.109
0 0 RETURN 0 -- * * 0.0.0.0/0 51.158.144.31
0 0 RETURN 0 -- * * 0.0.0.0/0 51.158.144.32
0 0 ACCEPT 17 -- * * 0.0.0.0/0 127.0.1.1 udp dpt:53
0 0 ACCEPT 17 -- * * 0.0.0.0/0 127.0.0.1 udp dpt:53
11 818 ACCEPT 17 -- * * 0.0.0.0/0 127.0.0.53 udp dpt:53
0 0 DNAT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:10.41.0.1:53
0 0 DNAT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:10.41.0.1:53
Chain bitmask_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 17 -- * * 0.0.0.0/0 10.41.0.1 udp dpt:53
0 0 MASQUERADE 6 -- * * 0.0.0.0/0 10.41.0.1 tcp dpt:53Testing
- Check the log output:
DBG Executing bitmask-root cmd="/usr/sbin/bitmask-root firewall start 51.15.9.205 ..." - generate traffic:
nc -v -u 51.15.9.205 53 -
tcpdump -ni any port 53
Before you saw traffic to the DNS server (always 10.41.0.1). Now you will see ("Connection to 51.15.9.205 53 port [udp/domain] succeeded!").
Some commands for debugging
iptables-save -t nat
iptables -vnL -t nat --line-numbers
iptables -t nat -D bitmask 4 (delete line 4)
Edited by Pea Nut