What mistake do I make?
-
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443
-d 192.168.0.157 -j DNAT --to-destination 10.137.0.6
[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp
--dport 443 -m conntrack --ctstate NEW -j ACCEPT
^^^^^
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0
ip daddr 10.137.0.6 tcp dport 443 ct state new counter accept
[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 3 packets, 156 bytes)
pkts bytes target prot opt in out source destination
15233 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15220 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:443 to:10.137.0.6
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1546 packets, 104K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
30894 2067K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1
udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1
tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2
udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2
tcp dpt:53 to:10.139.1.2
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0
10.137.255.254 tcp dpt:8082
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8082
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0
udp dpt:68
44760 4252K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ * 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
62 2480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
660K 438M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6
tcp dpt:443 ctstate NEW
163 8531 QBS-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
163 8531 ACCEPT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3220 packets, 216K bytes)
pkts bytes target prot opt in out source destination
Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
[user@sys-net ~]$ sudo nft list table ip qubes-firewall
table ip qubes-firewall {
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
ip saddr 10.137.0.6 jump qbs-10-137-0-6
iifname "eth0" ip daddr 10.137.0.6 tcp dport https ct state new
counter packets 0 bytes 0 accept
}
chain qbs-10-137-0-6 {
accept
drop
}
}
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/105901ba-36a4-446f-bf1a-e84cc5dfdae8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
