[bitmask-root] Don't redirect port 53 traffic of vpn gateways

This prevented VNP working on port 53 because the traffic was redirected to the DNS server.
leapcode · Oct 13, 2024 · f2f1e40 · f2f1e40
1 parent 452facb
commit f2f1e40
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/pkg/pickle/helpers/bitmask-root b/pkg/pickle/helpers/bitmask-root
@@ -730,15 +730,22 @@ def firewall_start(args):
     if QUBES_PROXY and QUBES_VER >= 3:
         # rewrite DNS packets for VPN DNS; Qubes preconfigures masquerade
         ip4tables("-t", "nat", "--flush", "PR-QBS")
+        for gateway in gateways:
+            ip4tables("-t", "nat", "--append", "PR-QBS", "--destination", gateway,
+                      "--jump", "RETURN")
         ip4tables("-t", "nat", "--append", "PR-QBS", "-p", "udp",
                   "--dport", "53", "--jump", "DNAT", "--to",
                   NAMESERVER + ":53")
         ip4tables("-t", "nat", "--append", "PR-QBS", "-p", "tcp",
                   "--dport", "53", "--jump", "DNAT", "--to",
                   NAMESERVER + ":53")
     else:
+        # As we may have OpenVPN running on port 53, we don't want to redirect that
+        for gateway in gateways:
+            ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "--destination",
+                      gateway, "--jump", "RETURN")
         # allow dns to localhost
-        ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
+        ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "--protocol", "udp",
                   "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
                   "--jump", "ACCEPT")
         # rewrite all outgoing packets to use VPN DNS server