> What I would like to do is add a second IP to both sys-firewall and > sys-net so that I can NAT traffic from one of my VM's in/out through > these IP's. So what I end up with is two IP's on sys-net, one handling > all the traffic for most of my VM's, the other handling traffic for one > specific VM. This way I can do additional firewall restrictions on this > VM in my networks. > > If I manually add the IP addresses to sys-net and sys-firewall, manually > add the destination NAT and source NAT rules to both as well, then > manually add a route in sys-net, and also force another rule into the > IPTABLES raw table on sys-net (to override a rule added by > /etc/xen/scripts/vif-routes-qubes which restricts all incoming traffic > from sys-firewall to the IP assigned by qubes to the default interface), > then I'm able to make this work. > > However, this is very finicky and totally unscriptable in this > configuration, and I'd really like this to be something auto configured > on boot. > > I've look and looked and don't see where I can add a second interface > definition to any config files. If I manually edit the xen > sys-firewall.conf file it just gets overwitten by qubes. I can do all > the iptables rules I need in the /rw/config scripts, but what I really > need is for sys-firewall to add another virtual interface for me. > > I tried running: sudo xl network-attach sys-firewall > script=/etc/xen/scripts/vif-route-qubes ip=10.150.10.10 backend=sys-net > This will add the interface and setup sys-net with the correct routes > and rules, HOWEVER, the interface that it adds to sys-firewall has the > same IP as the existing interface which breaks all the traffic going out > of sys-firewall > > Has anyone ever had any success doing something like this? > > Any suggestions out there? > > Thanks, > Ed > Can you create another sys-net chain with the second interface? You could keep things isolated without scripting. Assuming you are using Qubes 3.2, the interface could be assigned to sys-net-2 via VM Settings->Devices.
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/or8a5b%2448c%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
