On Thursday, August 2, 2018 at 10:53:01 AM UTC+10, Unman wrote: > On Wed, Aug 01, 2018 at 03:54:23PM -0700, 'Epinsion Polickye' via qubes-users > wrote: > > On Wednesday, August 1, 2018 at 6:46:00 PM UTC+10, Unman wrote: > > > On Mon, Jul 30, 2018 at 10:41:30PM -0700, 'Epinsion Polickye' via > > > qubes-users wrote: > > > > On Tuesday, July 31, 2018 at 12:03:45 PM UTC+10, Epinsion Polickye > > > > wrote: > > > > > Hi All, > > > > > > > > > > I've been following this guide to set up routing and NAT to an > > > > > internal machine: https://www.qubes-os.org/doc/firewall/ > > > > > > > > > > sys-net and my machines are currently working on the internal > > > > > network, and the internet perfectly outbound, but I'm having troubles > > > > > exposing services from sys-net (which I only intend to do for testing > > > > > with this VM), or internal VMs (what I actually want to do). > > > > > > > > > > My machine is connecting directly to sys-net (no sys-firewall middle > > > > > man). > > > > > > > > > > My first step is to simply run "nc -nlv 444" on sys-net to telnet > > > > > into it from and internal device, and be able to ping the sys-net > > > > > machine from an internal device. I'm having issues just at this step > > > > > however, even if I've disabled nftables and iptables. qvm-ls -n lists > > > > > a different sys-net ip than what's set up as the internal private > > > > > address on the network. > > > > > > > > > > I can ping from sys-net to a particular machine, but not back to the > > > > > machine. > > > > > > > > > > I suspect I'm misunderstanding networking and firewalls in Qubes. I > > > > > expect sys-net to function like a router (along with any other > > > > > intermediary VMs for firewalls, net/vpns and the like), and for the > > > > > firewalls to be handled by nftables and iptables, which shouldn't > > > > > function when the services are disabled on systems. > > > > > > > > > > Thanks. > > > > > > > > And also on VM: sudo iptables -I INPUT -s 10.137.0.5 -j ACCEPT > > > > > > > > > > Your assumptions are quite correct about what should be happening. > > > You haven't said what Qubes version you have or what template you are > > > using for sys-newt and sys-firewall. Can you add that? > > > > I'm using qubes-4. sys-net and sys-firewall are fedora-26. > > > > Fedora uses nftables rather than iptables. > If you switched the sys-net and sys-firewall to Debian, I suspect that > your existing rules might work. Otherwise recast them in nftables. > > qvm-ls -n shows the IP address of sys-net within Qubes - not the IP > address of the external interface on the network, as you have already > noticed. > So you will need to open the firewall to allow traffic to tcp 444 on > ens5. > You can run a sniffer like tcpdump on the external interface of sys-net > to make sure that traffic from the local networking is actually > arriving. > > You might find this and the linked projects interesting: > https://github.com/QubesOS/qubes-issues/issues/3556 > > unman
Thanks for your help and for sharing the link. I'm going to set aside some time to read the Qubes doco on networking, learn nftables and iptables, and read the link. Regardless I've found ssh tunneling from sys-net to be very handy, and could be very useful with ssh jumps if there are intermediary firewalls and network services. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/689fb902-0799-480c-a855-5448f4b8cd9b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
