Hello friends! Pls, help me :(
        I need to configure port forwarding to Kali linux VM via sys-net ---> 
sys-firewall ---> sys-whonix ---> VPN-VM ---> KaliVM to use meterpreter and 
apache2 on my Kali linux VM. At first I tried to use scripts:
https://gist.github.com/jpouellet/d8cd0eb8589a5b9bf0c53a28fc530369
https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
https://github.com/niccokunzmann/qvm-expose-port
I transferred them to the dom0 machine in the / usr / local / bin / folder
I tried to run these scripts, but ports 443, 8080, 80 do not work on Kali linux 
VM.
Then i tried to do it manually
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.157  netmask 255.255.255.0  broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.5  netmask 255.255.255.255  broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.157  netmask 255.255.255.0  broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.5  netmask 255.255.255.255  broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500


[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 
-d 192.168.0.157 -j DNAT --to-destination 10.137.0.6

[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp 
--dport 443 -m conntrack --ctstate NEW -j ACCEPT 
                                                                             
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 
ip daddr 10.137.0.6 tcp dport 443 ct state new counter accept

[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 3 packets, 156 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
15233  807K PR-QBS     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        
15220  806K PR-QBS-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:443 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain OUTPUT (policy ACCEPT 1546 packets, 104K bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     all  --  *      vif+    0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
        
30894 2067K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.1  
         udp dpt:53 to:10.139.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.1  
         tcp dpt:53 to:10.139.1.1
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.2  
         udp dpt:53 to:10.139.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.2  
         tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 REDIRECT   tcp  --  vif+   *       0.0.0.0/0            
10.137.255.254       tcp dpt:8082
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     tcp  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:8082
    0     0 DROP       udp  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:68
44760 4252K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  vif+   *       0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
        
    0     0 REJECT     all  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         reject-with icmp-host-prohibited
   62  2480 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
 660K  438M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.137.1.6  
         tcp dpt:443 ctstate NEW
  163  8531 QBS-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0 
          
    0     0 DROP       all  --  vif+   vif+    0.0.0.0/0            0.0.0.0/0   
        
  163  8531 ACCEPT     all  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
        
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       

Chain OUTPUT (policy ACCEPT 3220 packets, 216K bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain QBS-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
[user@sys-net ~]$  nft list table ip qubes-firewall
internal:0:0-0: Error: Could not receive tables from kernel: Operation not 
permitted

[user@sys-net ~]$ sudo nft list table ip qubes-firewall
table ip qubes-firewall {
        chain forward {
                type filter hook forward priority 0; policy drop;
                ct state established,related accept
                ip saddr 10.137.0.6 jump qbs-10-137-0-6
                iifname "eth0" ip daddr 10.137.0.6 tcp dport https ct state new 
counter packets 0 bytes 0 accept
        }

        chain qbs-10-137-0-6 {
                accept
                drop
        }
}
[user@sys-net ~]$ telnet 192.168.0.157 443
bash: telnet: command not found...
^[[AInstall package 'telnet' to provide command 'telnet'? [N/y] n


Then I did the same on the sys-firewall instructions:

[user@sys-firewall ~]$ ifconfig | grep -i cast
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.6  netmask 255.255.255.255  broadcast 10.255.255.255
vif4.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.6  netmask 255.255.255.255  broadcast 0.0.0.0
vif5.0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.137.0.6  netmask 255.255.255.255  broadcast 0.0.0.0
vif6.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.6  netmask 255.255.255.255  broadcast 0.0.0.0

[user@sys-firewall ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp 
--dport 443 -d 10.137.0.6 -j DNAT --to-destination 10.137.0.23
[user@sys-firewall ~]$ sudo iptables -I FORWARD 2 -i eth0 -s 192.168.0.1/24 -d 
10.137.0.23 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
[user@sys-firewall ~]$ sudo nft add rule ip qubes-firewall forward meta iifname 
eth0 ip saddr 192.168.0.1/24 ip daddr 10.137.0.23 tcp dport 443 ct state new 
counter accept
[user@sys-firewall ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
 2363  133K PR-QBS     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        
 2354  132K PR-QBS-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            10.137.0.6  
         tcp dpt:443 to:10.137.0.23

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     all  --  *      vif+    0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
        
 2262  117K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.1  
         udp dpt:53 to:10.139.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.1  
         tcp dpt:53 to:10.139.1.1
    9   625 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.2  
         udp dpt:53 to:10.139.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.2  
         tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
       


Then I wanted to install ports 80 and 8080, and did it for sys-net, but now the 
packets are not transmitted to the sys-firewall. I'm stuck on this issue:

[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 
-d 192.168.0.157 -j DNAT --to-destination 10.137.0.6
^[[A[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 
8080 192.168.0.157 -j DNAT --to-destination 10.137.0.6
Bad argument `192.168.0.157'
Try `iptables -h' or 'iptables --help' for more information.
[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 
8080 -d 192.168.0.157 -j DNAT --to-destination 10.137.0.6
[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp 
--dport 80 -m conntrack --ctstate NEW -j ACCEPT 
[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp 
--dport 8080 -m conntrack --ctstate NEW -j ACCEPT 
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 
ip daddr 10.137.0.6 tcp dport 80 ct state new counter accept
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 
ip daddr 10.137.0.6 tcp dport 8080 ct state new counter accept
[user@sys-net ~]$ iptables -t nat -L -v -n
iptables v1.6.1: can't initialize iptables table `nat': Permission denied (you 
must be root)
Perhaps iptables or your kernel needs to be upgraded.
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     tcp  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:8082
    0     0 DROP       udp  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:68
46258 4394K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  vif+   *       0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
        
    0     0 REJECT     all  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
         reject-with icmp-host-prohibited
   62  2480 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
 708K  456M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.137.1.6  
         tcp dpt:8080 ctstate NEW
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.137.1.6  
         tcp dpt:80 ctstate NEW
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            10.137.1.6  
         tcp dpt:443 ctstate NEW
  164  8583 QBS-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0 
          
    0     0 DROP       all  --  vif+   vif+    0.0.0.0/0            0.0.0.0/0   
        
  164  8583 ACCEPT     all  --  vif+   *       0.0.0.0/0            0.0.0.0/0   
        
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
       

Chain OUTPUT (policy ACCEPT 36 packets, 2412 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain QBS-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
15234  807K PR-QBS     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        
15221  806K PR-QBS-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:443 to:10.137.0.6
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:80 to:10.137.0.6
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:8080 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain OUTPUT (policy ACCEPT 52 packets, 3484 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     all  --  *      vif+    0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
        
32684 2187K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.1  
         udp dpt:53 to:10.139.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.1  
         tcp dpt:53 to:10.139.1.1
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.2  
         udp dpt:53 to:10.139.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.2  
         tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 REDIRECT   tcp  --  vif+   *       0.0.0.0/0            
10.137.255.254       tcp dpt:8082

[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
15234  807K PR-QBS     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        
15221  806K PR-QBS-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:443 to:10.137.0.6
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:80 to:10.137.0.6
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:8080 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain OUTPUT (policy ACCEPT 70 packets, 4690 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     all  --  *      vif+    0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
        
32702 2189K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.1  
         udp dpt:53 to:10.139.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.1  
         tcp dpt:53 to:10.139.1.1
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.2  
         udp dpt:53 to:10.139.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.2  
         tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 REDIRECT   tcp  --  vif+   *       0.0.0.0/0            
10.137.255.254       tcp dpt:8082

[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
15234  807K PR-QBS     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        
15221  806K PR-QBS-SERVICES  all  --  *      *       0.0.0.0/0            
0.0.0.0/0           
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:443 to:10.137.0.6
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:80 to:10.137.0.6
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            
192.168.0.157        tcp dpt:8080 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain OUTPUT (policy ACCEPT 94 packets, 6298 bytes)
 pkts bytes target     prot opt in     out     source               destination 
       

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     all  --  *      vif+    0.0.0.0/0            0.0.0.0/0   
        
    3   156 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   
        
32726 2190K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        

Chain PR-QBS (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.1  
         udp dpt:53 to:10.139.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.1  
         tcp dpt:53 to:10.139.1.1
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            10.139.1.2  
         udp dpt:53 to:10.139.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.139.1.2  
         tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 REDIRECT   tcp  --  vif+   *       0.0.0.0/0            
10.137.255.254       tcp dpt:8082

Even if it starts to work, do I need to do the same for sys-whonix and VPN-VM?

(I use VPN using this technology https://github.com/tasket/Qubes-vpn-support)

Please put me on the right track. Thank!

P.S: Sorry my bad english :(

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ee9fbd2-55a8-40aa-bd0c-b31ea192c9df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to