On Friday, 9 February 2018 06:50:05 UTC, [email protected] wrote: > Fedora templates have a weird issue where the packet counter on the sys-net > nat FORWARD chain does not increment. The PREROUTING chain does increment. > > The commands work, my configuration is correct, as it was working on R3.2 and > does work on R4.0 if using an older debian-8 template for sys-net and > sys-firewall. > > Using Debian-8 template that came with Qubes 4.0 RC2 or earlier.... does work > as expected. > It has iptables 1.4, while fedora has iptables 1.6. > I can go back and forth between fedora-25/26 and debian-8, and it will work > when on debian. > > Debian-9 has a weird issue where the counter on the sys-net FORWARD chain > does get incremented, but nothing is sent to sys-firewall. Verified with > tcpdump. > > > Sys-Net: > iptables -t nat -A PREROUTING -i ens5 -p tcp -d <outside_ip_of_sys-net> > --dport 2200 -j DNAT --to-destination <ip_of_sys-firewall> -m comment > --comment 'PortFwd' > iptables -I FORWARD 2 -i ens5 -p tcp <ip_of_sys-firewall> --dport 2200 -m > conntrack --ctstate NEW -j ACCEPT -m comment --comment 'PortFwd'
I suspect you have just a typo here in your email (-d is missing) I usually also put --sport 1024:65535 (but it is not required, and I doubt adding it would fix the problem) > > Sys-Firewall: > iptables -t nat -A PREROUTING -i eth0 -p tcp -d <ip_of_sys-firewall> --dport > 2200 -j DNAT --to-destination <ip_of_AppVM> -m comment --comment 'PortFwd' > iptables -I FORWARD 2 -i ens5 -p tcp <ip_of_AppVM> --dport 2200 -m conntrack > --ctstate NEW -j ACCEPT -m comment --comment 'PortFwd' Typo also here, the interface is eth0 I think > > Target AppVM: > iptables -I INPUT 5 -p tcp --dport 2200 -m conntrack --ctstate NEW -j ACCEPT > -m comment --comment 'PortFwd' > > > SYS-NET > sudo iptables -vnL -t nat | grep 2200 ; sudo iptables -vnL FORWARD | grep 2200 > > 3 180 DNAT tcp -- eth0 * 0.0.0.0/0 10.0.1.53 > tcp dpt:2200 /* PortFwd */ to:10.137.0.6 > 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.0.6 > tcp dpt:2200 ctstate NEW /* PortFwd */ > > > My configuration works flawlessly for many months on R3.2 and even works > today when using debian-8 for my sys-net and sys-firewall. > > And yes, of course my net.ipv4.ip_forward is 1 I'll try to have a look today on my Qubes R4 server. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/3fa425c7-4f21-431b-9f77-f346952aa80d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
