Hello friends! Pls, help me :(
I need to configure port forwarding to Kali linux VM via sys-net --->
sys-firewall ---> sys-whonix ---> VPN-VM ---> KaliVM to use meterpreter and
apache2 on my Kali linux VM. At first I tried to use scripts:
https://gist.github.com/jpouellet/d8cd0eb8589a5b9bf0c53a28fc530369
https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
https://github.com/niccokunzmann/qvm-expose-port
I transferred them to the dom0 machine in the / usr / local / bin / folder
I tried to run these scripts, but ports 443, 8080, 80 do not work on Kali linux
VM.
Then i tried to do it manually
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443
-d 192.168.0.157 -j DNAT --to-destination 10.137.0.6
[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp
--dport 443 -m conntrack --ctstate NEW -j ACCEPT
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0
ip daddr 10.137.0.6 tcp dport 443 ct state new counter accept
[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 3 packets, 156 bytes)
pkts bytes target prot opt in out source destination
15233 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15220 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:443 to:10.137.0.6
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1546 packets, 104K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
30894 2067K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1
udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1
tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2
udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2
tcp dpt:53 to:10.139.1.2
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0
10.137.255.254 tcp dpt:8082
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8082
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0
udp dpt:68
44760 4252K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ * 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
62 2480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
660K 438M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6
tcp dpt:443 ctstate NEW
163 8531 QBS-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
163 8531 ACCEPT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3220 packets, 216K bytes)
pkts bytes target prot opt in out source destination
Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
[user@sys-net ~]$ nft list table ip qubes-firewall
internal:0:0-0: Error: Could not receive tables from kernel: Operation not
permitted
[user@sys-net ~]$ sudo nft list table ip qubes-firewall
table ip qubes-firewall {
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
ip saddr 10.137.0.6 jump qbs-10-137-0-6
iifname "eth0" ip daddr 10.137.0.6 tcp dport https ct state new
counter packets 0 bytes 0 accept
}
chain qbs-10-137-0-6 {
accept
drop
}
}
[user@sys-net ~]$ telnet 192.168.0.157 443
bash: telnet: command not found...
^[[AInstall package 'telnet' to provide command 'telnet'? [N/y] n
Then I did the same on the sys-firewall instructions:
[user@sys-firewall ~]$ ifconfig | grep -i cast
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 10.255.255.255
vif4.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0
vif5.0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0
vif6.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0
[user@sys-firewall ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp
--dport 443 -d 10.137.0.6 -j DNAT --to-destination 10.137.0.23
[user@sys-firewall ~]$ sudo iptables -I FORWARD 2 -i eth0 -s 192.168.0.1/24 -d
10.137.0.23 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
[user@sys-firewall ~]$ sudo nft add rule ip qubes-firewall forward meta iifname
eth0 ip saddr 192.168.0.1/24 ip daddr 10.137.0.23 tcp dport 443 ct state new
counter accept
[user@sys-firewall ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
2363 133K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
2354 132K PR-QBS-SERVICES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.137.0.6
tcp dpt:443 to:10.137.0.23
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2262 117K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1
udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1
tcp dpt:53 to:10.139.1.1
9 625 DNAT udp -- * * 0.0.0.0/0 10.139.1.2
udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2
tcp dpt:53 to:10.139.1.2
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
Then I wanted to install ports 80 and 8080, and did it for sys-net, but now the
packets are not transmitted to the sys-firewall. I'm stuck on this issue:
[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80
-d 192.168.0.157 -j DNAT --to-destination 10.137.0.6
^[[A[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
8080 192.168.0.157 -j DNAT --to-destination 10.137.0.6
Bad argument `192.168.0.157'
Try `iptables -h' or 'iptables --help' for more information.
[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
8080 -d 192.168.0.157 -j DNAT --to-destination 10.137.0.6
[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp
--dport 80 -m conntrack --ctstate NEW -j ACCEPT
[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp
--dport 8080 -m conntrack --ctstate NEW -j ACCEPT
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0
ip daddr 10.137.0.6 tcp dport 80 ct state new counter accept
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0
ip daddr 10.137.0.6 tcp dport 8080 ct state new counter accept
[user@sys-net ~]$ iptables -t nat -L -v -n
iptables v1.6.1: can't initialize iptables table `nat': Permission denied (you
must be root)
Perhaps iptables or your kernel needs to be upgraded.
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8082
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0
udp dpt:68
46258 4394K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ * 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
62 2480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
708K 456M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6
tcp dpt:8080 ctstate NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6
tcp dpt:80 ctstate NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6
tcp dpt:443 ctstate NEW
164 8583 QBS-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
164 8583 ACCEPT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 36 packets, 2412 bytes)
pkts bytes target prot opt in out source destination
Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15234 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15221 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:443 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:80 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:8080 to:10.137.0.6
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 52 packets, 3484 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
32684 2187K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1
udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1
tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2
udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2
tcp dpt:53 to:10.139.1.2
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0
10.137.255.254 tcp dpt:8082
[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15234 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15221 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:443 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:80 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:8080 to:10.137.0.6
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 70 packets, 4690 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
32702 2189K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1
udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1
tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2
udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2
tcp dpt:53 to:10.139.1.2
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0
10.137.255.254 tcp dpt:8082
[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15234 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15221 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:443 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:80 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0
192.168.0.157 tcp dpt:8080 to:10.137.0.6
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 94 packets, 6298 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
32726 2190K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1
udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1
tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2
udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2
tcp dpt:53 to:10.139.1.2
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0
10.137.255.254 tcp dpt:8082
Even if it starts to work, do I need to do the same for sys-whonix and VPN-VM?
(I use VPN using this technology https://github.com/tasket/Qubes-vpn-support)
Please put me on the right track. Thank!
P.S: Sorry my bad english :(
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/9ee9fbd2-55a8-40aa-bd0c-b31ea192c9df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
