Fixes #863 (closed)
Fixes #835 (closed)
Solution was to add a RETURN in nat/bitmask for every gateway ip.
I haven't tested the Qubes OS code path. Now if connected the nat rules look like this:
pea@linbox:pkg s iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 206 packets, 38107 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 206 packets, 38107 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 702 packets, 136K bytes)
pkts bytes target prot opt in out source destination
35 3488 bitmask 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 719 packets, 111K bytes)
pkts bytes target prot opt in out source destination
34 3448 bitmask_postrouting 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain bitmask (1 references)
pkts bytes target prot opt in out source destination
1 42 RETURN 0 -- * * 0.0.0.0/0 163.172.211.109
0 0 RETURN 0 -- * * 0.0.0.0/0 51.158.144.31
0 0 RETURN 0 -- * * 0.0.0.0/0 51.158.144.32
0 0 ACCEPT 17 -- * * 0.0.0.0/0 127.0.1.1 udp dpt:53
0 0 ACCEPT 17 -- * * 0.0.0.0/0 127.0.0.1 udp dpt:53
11 818 ACCEPT 17 -- * * 0.0.0.0/0 127.0.0.53 udp dpt:53
0 0 DNAT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:10.41.0.1:53
0 0 DNAT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:10.41.0.1:53
Chain bitmask_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 17 -- * * 0.0.0.0/0 10.41.0.1 udp dpt:53
0 0 MASQUERADE 6 -- * * 0.0.0.0/0 10.41.0.1 tcp dpt:53DBG Executing bitmask-root cmd="/usr/sbin/bitmask-root firewall start 51.15.9.205 ..."
nc -v -u 51.15.9.205 53
tcpdump -ni any port 53iptables-save -t nat
iptables -vnL -t nat --line-numbers
iptables -t nat -D bitmask 4 (delete line 4)