These are settings I've used: sys-net: route traffic from outside to sys-firewall
sudo iptables -t nat -A PREROUTING -i wls7 -p tcp --dport 51413 -d 192.168.1.25 -j DNAT --to-destination 10.137.0.6 open firewall for traffic from sys-net sudo iptables -I FORWARD 2 -i wls7 -d 10.137.0.6 -p tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT sudo nft add rule ip qubes-firewall forward meta iifname wls7 ip daddr 10.137.0.6 tcp dport 51413 ct state new counter accept sys-firewall: route traffic from sys-net to sys-firewall sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 51413 -d 10.137.0.6 -j DNAT --to-destination 10.137.0.19 open traffic in firewall sudo iptables -I FORWARD 2 -i eth0 -d 10.137.0.19 -p tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.1.25/24 ip daddr 10.137.0.19 tcp dport 51413 ct state new counter accept transmission-vm: /rw/config/rc.local ###################### # My service filtering # Create a new firewall filtering chain for my service if iptables -w -N MY-HTTPS; then # Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times) iptables -w -A MY-HTTPS -j ACCEPT fi # If no input rule exists for my service if ! iptables -w -n -L INPUT | grep --quiet MY-HTTPS; then # add a forward rule for the traffic (same reason) iptables -w -I INPUT 5 -d 10.137.0.6 -p udp --dport 51413 -m conntrack --ctstate NEW -j MY-HTTPS iptables -w -I INPUT 5 -d 10.137.0.6 -p tcp --dport 51413 -m conntrack --ctstate NEW -j MY-HTTPS fi ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, October 24, 2019 5:49 PM, anarcomnor <anarcom...@protonmail.com> wrote: > Hello dear qubers! > > I've been following [this](https://qubes-os.org/doc/firewall) guide on how to > open a port to the outside world with the intention of allowing Transmission > to connect, but I'm struggling. Transmission does not find any peers and > testing the port says it's closed. I've been following the guide very > carefully and done the commands with both tcp and udp protocols. The port has > been opened in the router. > > One thing I've been somewhat confused about is which interface I should use > when entering the commands. The examples always use eth0, but in my case the > physical NIC is called wls7 (even though it actually sometimes changes to > wls6, which doesn't make it easier, but let's just say it's wls7). > > As far as I understand wls7 is only used when applying rules in sys-net since > it is only VM that can actually connect to it, so I'm hoping that's correct. > > I've tried switching things around, hoping to more or less stumble on a > configuration that works, but nothing seems to. Now I'm somewhat worried that > there are rules in place that might be conflicting and that this might > actually be the cause of my issue now. > > The way it's set up is I have a qube called Transmission connecting to > sys-firewall which again connects to sys-net. > > Can anyone help me out here? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/myb0qkMKesqlnhNQXXDt5eebrA5JuLW9ayKLCLlradz52W0sGAbWEKngOGBF4fkVeTMe171RWW__8rDlmu9AWe0U6g0cobDrqsvdKYPVCxg%3D%40protonmail.com.
