I'm struggling to follow the instructions on
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
Whatever my mistake is, I hope it's easy for someone to spot. I can't seem to
spot it myself, despite a lot of trying.
The good news is that `iptables` shows forwarding through sys-net. The trouble
is that sys-firewall shows no signs of receiving that traffic. In the output
that follows, `MY-SLIM` is the label I'm working on, port 9000.
Here's evidence on `sys-net` that packets are forwarded:
```
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8082
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0
udp dpt:68
28 18042 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
768 32256 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
60282 56M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
26 1344 MY-SLIM tcp -- ens5 * 0.0.0.0/0 10.137.0.6
tcp dpt:9000 ctstate NEW
837 46024 QBS-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
811 44680 ACCEPT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
26 1344 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 26 packets, 1929 bytes)
pkts bytes target prot opt in out source destination
Chain MY-SLIM (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
```
(I'm looking at the MY-SLIM row under "Chain FORWARD" above. Should I be
concerned the counts are 0 under "Chain "MY-SLIM"?)
Meanwhile on `sys-firewall`, I get no count for MY-SLIM:
```
[user@sys-firewall ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 84 packets, 4444 bytes)
pkts bytes target prot opt in out source destination
152 8823 PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
84 4444 PR-QBS-SERVICES all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 MY-SLIM tcp -- eth0 * 0.0.0.0/0 10.137.0.6
tcp dpt:9000
[snip, for brevity]
```
Here are the `/rw/config/qubes-firewall-user-script` that I'm using on both VMs
(note: I originally had this code in `rc.local` on sys-net, as per the
documentation, but I find the `nft add ...` call doesn't "stick" unless I move
it to `qubes-firewall-user-script`. Also, you'll note I have commented lines
that forward port 3483 - my goal is to uncomment those lines, after I have port
9000 working.)
First on `sys-net`:
```
#!/bin/sh
# This script is called in AppVMs after every firewall update (configuration
# change, starting some VM etc). This is good place to write own custom
# firewall rules, in addition to autogenerated ones. Remember that in most cases
# you'll need to insert the rules at the beginning (iptables -I) for it to be
# efective.
# debug
touch /rw/config/QUBES-FIREWALL-USER-SCRIPT
# Slim server
#
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
# 10.137.0.6 is sys-firewall
if iptables -t nat -N MY-SLIM; then
iptables -t nat -A MY-SLIM -j DNAT --to-destination 10.137.0.6
fi
if ! iptables -t nat -n -L PREROUTING | grep --quiet MY-SLIM; then
iptables -t nat -A PREROUTING -i ens5 -p tcp --dport 9000 -d
192.168.1.101 -j MY-SLIM
# iptables -t nat -A PREROUTING -i ens5 -p tcp --dport 3483 -d
192.168.1.101 -j MY-SLIM
# iptables -t nat -A PREROUTING -i ens5 -p udp --dport 3483 -d
192.168.1.101 -j MY-SLIM
fi
if iptables -N MY-SLIM; then
iptables -A MY-SLIM -s 192.168.1.0/24 -j ACCEPT
fi
if ! iptables -n -L FORWARD | grep --quiet MY-SLIM; then
iptables -I FORWARD 2 -i ens5 -d 10.137.0.6 -p tcp --dport 9000 -m
conntrack --ctstate NEW -j MY-SLIM
# iptables -I FORWARD 2 -i ens5 -d 10.137.0.6 -p tcp --dport 3483 -m
conntrack --ctstate NEW -j MY-SLIM
# iptables -I FORWARD 2 -i ens5 -d 10.137.0.6 -p udp --dport 3483 -m
conntrack --ctstate NEW -j MY-SLIM
fi
if ! nft -nn list table ip qubes-firewall | grep "tcp dport 9000 ct state new";
then
touch /rw/config/QUBES-FIREWALL-USER-SCRIPT-NFT
nft add rule ip qubes-firewall forward meta iifname ens5 ip daddr
10.137.0.6 tcp dport 9000 ct state new counter accept
# nft add rule ip qubes-firewall forward meta iifname ens5 ip daddr
10.137.0.6 tcp dport 3483 ct state new counter accept
# nft add rule ip qubes-firewall forward meta iifname ens5 ip daddr
10.137.0.6 udp dport 3483 ct state new counter accept
fi
```
And here's `sys-firewall`:
```
#!/bin/sh
# This script is called in AppVMs after every firewall update (configuration
# change, starting some VM etc). This is good place to write own custom
# firewall rules, in addition to autogenerated ones. Remember that in most cases
# you'll need to insert the rules at the beginning (iptables -I) for it to be
# efective.
# debug
touch /rw/config/QUBES-FIREWALL-USER-SCRIPT
#
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
if iptables -t nat -N MY-SLIM; then
sudo iptables -t nat -A MY-SLIM -j DNAT --to-destination 10.137.0.16
fi
if ! iptables -t nat -n -L PREROUTING | grep --quiet MY-SLIM; then
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9000 -d 10.137.0.6
-j MY-SLIM
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3483 -d 10.137.0.6
-j MY-SLIM
# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3483 -d 10.137.0.6
-j MY-SLIM
fi
if iptables -N MY-SLIM; then
iptables -A MY-SLIM -j ACCEPT
fi
if ! iptables -n -L FORWARD | grep --quiet MY-SLIM; then
# FORWARD 4, or FORWARD 2 ???
iptables -I FORWARD 4 -d 10.137.0.16 -p tcp --dport 9000 -m conntrack
--ctstate NEW -j MY-SLIM
# iptables -I FORWARD 4 -d 10.137.0.16 -p tcp --dport 3483 -m conntrack
--ctstate NEW -j MY-SLIM
# iptables -I FORWARD 4 -d 10.137.0.16 -p udp --dport 3483 -m conntrack
--ctstate NEW -j MY-SLIM
fi
if ! nft -nn list table ip qubes-firewall | grep "tcp dport 9000 ct state new";
then
nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr
10.137.0.16 tcp dport 9000 ct state new counter accept
# nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr
10.137.0.16 tcp dport 3483 ct state new counter accept
# nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr
10.137.0.16 udp dport 3483 ct state new counter accept
fi
```
I've triple checked my ip addresses, and everything else I can think of!
```
[user@sys-net ~]$ ifconfig | grep -i cast
ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.101 netmask 255.255.255.0 broadcast 192.168.1.255
vif21.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0
```
```
[user@sys-firewall ~]$ ifconfig | grep -i cast
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 10.255.255.255
vif22.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0
vif23.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0
vif4.0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0
```
If I've left out important details, let me know I'll provide them. I'd really
appreciate any help!
-Dave
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/2caa2b1e-158e-412b-b5e2-dfce9b126ae4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
