Re: [qubes-users] Port Forward in qubes-OS.

menoldstyle Tue, 25 Dec 2018 02:15:55 -0800

What mistake do I make?

-


[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.157  netmask 255.255.255.0  broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.5  netmask 255.255.255.255  broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.157  netmask 255.255.255.0  broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.5  netmask 255.255.255.255  broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 
-d 192.168.0.157 -j DNAT --to-destination 10.137.0.6

[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp 
--dport 443 -m conntrack --ctstate NEW -j ACCEPT     
           ^^^^^
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 
ip daddr 10.137.0.6 tcp dport 443 ct state new counter accept

[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 3 packets, 156 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
15233  807K PR-QBS     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        
15220  806K PR-QBS-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:443 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain OUTPUT (policy ACCEPT 1546 packets, 104K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     all  --  *      vif+    0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
        
30894 2067K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
         

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.1  
         udp dpt:53 to:10.139.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.1  
         tcp dpt:53 to:10.139.1.1
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.2  
         udp dpt:53 to:10.139.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.2  
         tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 REDIRECT   tcp  --  vif+   *       0.0.0.0/0            
10.137.255.254       tcp dpt:8082

[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     tcp  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:8082
    0     0 DROP       udp  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:68
44760 4252K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  vif+   *       0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
        
    0     0 REJECT     all  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         reject-with icmp-host-prohibited
   62  2480 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
 660K  438M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.137.1.6  
         tcp dpt:443 ctstate NEW
  163  8531 QBS-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0 
          
    0     0 DROP       all  --  vif+   vif+    0.0.0.0/0            0.0.0.0/0   
        
  163  8531 ACCEPT     all  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
        
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        

Chain OUTPUT (policy ACCEPT 3220 packets, 216K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        

Chain QBS-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        

[user@sys-net ~]$ sudo nft list table ip qubes-firewall
table ip qubes-firewall {
        chain forward {
                type filter hook forward priority 0; policy drop;
                ct state established,related accept
                ip saddr 10.137.0.6 jump qbs-10-137-0-6
                iifname "eth0" ip daddr 10.137.0.6 tcp dport https ct state new 
counter packets 0 bytes 0 accept
        }

        chain qbs-10-137-0-6 {
                accept
                drop
        }
}

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/105901ba-36a4-446f-bf1a-e84cc5dfdae8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Port Forward in qubes-OS.

Reply via email to