On Wed, Aug 01, 2018 at 03:54:23PM -0700, 'Epinsion Polickye' via qubes-users wrote: > On Wednesday, August 1, 2018 at 6:46:00 PM UTC+10, Unman wrote: > > On Mon, Jul 30, 2018 at 10:41:30PM -0700, 'Epinsion Polickye' via > > qubes-users wrote: > > > On Tuesday, July 31, 2018 at 12:03:45 PM UTC+10, Epinsion Polickye wrote: > > > > Hi All, > > > > > > > > I've been following this guide to set up routing and NAT to an internal > > > > machine: https://www.qubes-os.org/doc/firewall/ > > > > > > > > sys-net and my machines are currently working on the internal network, > > > > and the internet perfectly outbound, but I'm having troubles exposing > > > > services from sys-net (which I only intend to do for testing with this > > > > VM), or internal VMs (what I actually want to do). > > > > > > > > My machine is connecting directly to sys-net (no sys-firewall middle > > > > man). > > > > > > > > My first step is to simply run "nc -nlv 444" on sys-net to telnet into > > > > it from and internal device, and be able to ping the sys-net machine > > > > from an internal device. I'm having issues just at this step however, > > > > even if I've disabled nftables and iptables. qvm-ls -n lists a > > > > different sys-net ip than what's set up as the internal private address > > > > on the network. > > > > > > > > I can ping from sys-net to a particular machine, but not back to the > > > > machine. > > > > > > > > I suspect I'm misunderstanding networking and firewalls in Qubes. I > > > > expect sys-net to function like a router (along with any other > > > > intermediary VMs for firewalls, net/vpns and the like), and for the > > > > firewalls to be handled by nftables and iptables, which shouldn't > > > > function when the services are disabled on systems. > > > > > > > > Thanks. > > > > > > And also on VM: sudo iptables -I INPUT -s 10.137.0.5 -j ACCEPT > > > > > > > Your assumptions are quite correct about what should be happening. > > You haven't said what Qubes version you have or what template you are > > using for sys-newt and sys-firewall. Can you add that? > > I'm using qubes-4. sys-net and sys-firewall are fedora-26. >
Fedora uses nftables rather than iptables. If you switched the sys-net and sys-firewall to Debian, I suspect that your existing rules might work. Otherwise recast them in nftables. qvm-ls -n shows the IP address of sys-net within Qubes - not the IP address of the external interface on the network, as you have already noticed. So you will need to open the firewall to allow traffic to tcp 444 on ens5. You can run a sniffer like tcpdump on the external interface of sys-net to make sure that traffic from the local networking is actually arriving. You might find this and the linked projects interesting: https://github.com/QubesOS/qubes-issues/issues/3556 unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180802005258.q5dqwotlopl72a3j%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
