[qubes-devel] Port Forward using iptables broken?

Thu, 08 Feb 2018 22:51:02 -0800 

Fedora templates have a weird issue where the packet counter on the sys-net nat 
FORWARD chain does not increment. The PREROUTING chain does increment.

The commands work, my configuration is correct, as it was working on R3.2 and 
does work on R4.0 if using an older debian-8 template for sys-net and 
sys-firewall.

Using Debian-8 template that came with Qubes 4.0 RC2 or earlier.... does work 
as expected.
It has iptables 1.4, while fedora has iptables 1.6.
I can go back and forth between fedora-25/26 and debian-8, and it will work 
when on debian.

Debian-9 has a weird issue where the counter on the sys-net FORWARD chain does 
get incremented, but nothing is sent to sys-firewall. Verified with tcpdump.


Sys-Net:
iptables -t nat -A PREROUTING -i ens5 -p tcp -d <outside_ip_of_sys-net> --dport 
2200 -j DNAT --to-destination <ip_of_sys-firewall> -m comment --comment 
'PortFwd'
iptables -I FORWARD 2 -i ens5 -p tcp <ip_of_sys-firewall> --dport 2200 -m 
conntrack --ctstate NEW -j ACCEPT -m comment --comment 'PortFwd'

Sys-Firewall:
iptables -t nat -A PREROUTING -i eth0 -p tcp -d <ip_of_sys-firewall> --dport 
2200 -j DNAT --to-destination <ip_of_AppVM> -m comment --comment 'PortFwd'
iptables -I FORWARD 2 -i ens5 -p tcp <ip_of_AppVM> --dport 2200 -m conntrack 
--ctstate NEW -j ACCEPT -m comment --comment 'PortFwd'

Target AppVM:
iptables -I INPUT 5 -p tcp --dport 2200 -m conntrack --ctstate NEW -j ACCEPT -m 
comment --comment 'PortFwd'


SYS-NET
sudo iptables -vnL -t nat | grep 2200 ; sudo iptables -vnL FORWARD | grep 2200

3   180 DNAT       tcp  --  eth0   *       0.0.0.0/0            10.0.1.53       
     tcp dpt:2200 /* PortFwd */ to:10.137.0.6
0   0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.137.0.6        
   tcp dpt:2200 ctstate NEW /* PortFwd */


My configuration works flawlessly for many months on R3.2 and even works today 
when using debian-8 for my sys-net and sys-firewall.

And yes, of course my net.ipv4.ip_forward is 1

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/609dfb2d-7d55-42c4-9641-206edf689d26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to