[qubes-users] Is it possible to use application depending on local discovery in an Qube?

Sun, 01 Oct 2017 13:00:07 -0700 

Hello,
I am trying to use the application Syncthing[1] and also SSBC[2] based application like patchwork[3] on Qubes 4.0-rc1 


Those application are using local discovery in your network to connect 
to other local peers. For my use case, it is critical that I don't 
depend of any external servers outside of my network for synchronization 
of data. It is not specifically a privacy stance, but simply the fact 
that I don't always have access to a reliable and speedy internet 
access, and I want some of my data to be seamlessly synchronize between 
my phone and laptop (for example, camera pictures)


[1] https://syncthing.net/
[2] https://github.com/ssbc/secure-scuttlebutt
[3] https://github.com/ssbc/patchwork


Syncthing for example require the port 22000/tcp to be available, and 
the discovery/broadcast happen on the port 21027/udp, I have tried the 
following setup on my sys-net:



iptables -t nat -A PREROUTING -p tcp --dport 22000 -d 192.168.0.11 -j 
DNAT --to-destination <sys-firewall-ip>
iptables -t nat -A PREROUTING -p udp --dport 21027  -j DNAT 
--to-destination <sys-firewall-ip>
iptables -I FORWARD 2 -d <sys-firewall-ip> -p tcp --dport 22000 -m 
conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD 2 -d <sys-firewall-ip> -p udp --dport 21027 -m 
conntrack --ctstate NEW -j ACCEPT


Then on the sys-firewall I have:


iptables -t nat -A PREROUTING -p udp --dport 21027  -j DNAT 
--to-destination <syncthing-vm-ip>
iptables -t nat -A PREROUTING -p tcp --dport 22000 -d 10.137.0.4 -j DNAT 
--to-destination <syncthing-vm-ip>
iptables -I FORWARD 2 -d <syncthing-vm-ip> -p udp --dport 21027 -m 
conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD 2 -d <syncthing-vm-ip> -p tcp --dport 22000 -m 
conntrack --ctstate NEW -j ACCEPT



Finally on the syncthing-vm IP, I just accept everything in input (this 
is temporary, I'll reduce to only the needed listening when able to make 
it works):


iptables -I INPUT 1 -j ACCEPT

But with all that my devices are not discovered on the network.

Any clue, or idea how I could use this kind of tool in Qube?

Thanks in advance for any help.

Best regard

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8341d345-4680-1606-cf04-bb2e5ee09299%40mayeu.me.
For more options, visit https://groups.google.com/d/optout.














    











					Reply via email to