I'm struggling to follow the instructions on https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
Whatever my mistake is, I hope it's easy for someone to spot. I can't seem to spot it myself, despite a lot of trying. The good news is that `iptables` shows forwarding through sys-net. The trouble is that sys-firewall shows no signs of receiving that traffic. In the output that follows, `MY-SLIM` is the label I'm working on, port 9000. Here's evidence on `sys-net` that packets are forwarded: ``` [user@sys-net ~]$ sudo iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 28 18042 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- vif+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- vif+ * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 768 32256 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 60282 56M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 26 1344 MY-SLIM tcp -- ens5 * 0.0.0.0/0 10.137.0.6 tcp dpt:9000 ctstate NEW 837 46024 QBS-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0 811 44680 ACCEPT all -- vif+ * 0.0.0.0/0 0.0.0.0/0 26 1344 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 26 packets, 1929 bytes) pkts bytes target prot opt in out source destination Chain MY-SLIM (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0 Chain QBS-FORWARD (1 references) pkts bytes target prot opt in out source destination ``` (I'm looking at the MY-SLIM row under "Chain FORWARD" above. Should I be concerned the counts are 0 under "Chain "MY-SLIM"?) Meanwhile on `sys-firewall`, I get no count for MY-SLIM: ``` [user@sys-firewall ~]$ sudo iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 84 packets, 4444 bytes) pkts bytes target prot opt in out source destination 152 8823 PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0 84 4444 PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 MY-SLIM tcp -- eth0 * 0.0.0.0/0 10.137.0.6 tcp dpt:9000 [snip, for brevity] ``` Here are the `/rw/config/qubes-firewall-user-script` that I'm using on both VMs (note: I originally had this code in `rc.local` on sys-net, as per the documentation, but I find the `nft add ...` call doesn't "stick" unless I move it to `qubes-firewall-user-script`. Also, you'll note I have commented lines that forward port 3483 - my goal is to uncomment those lines, after I have port 9000 working.) First on `sys-net`: ``` #!/bin/sh # This script is called in AppVMs after every firewall update (configuration # change, starting some VM etc). This is good place to write own custom # firewall rules, in addition to autogenerated ones. Remember that in most cases # you'll need to insert the rules at the beginning (iptables -I) for it to be # efective. # debug touch /rw/config/QUBES-FIREWALL-USER-SCRIPT # Slim server # https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world # 10.137.0.6 is sys-firewall if iptables -t nat -N MY-SLIM; then iptables -t nat -A MY-SLIM -j DNAT --to-destination 10.137.0.6 fi if ! iptables -t nat -n -L PREROUTING | grep --quiet MY-SLIM; then iptables -t nat -A PREROUTING -i ens5 -p tcp --dport 9000 -d 192.168.1.101 -j MY-SLIM # iptables -t nat -A PREROUTING -i ens5 -p tcp --dport 3483 -d 192.168.1.101 -j MY-SLIM # iptables -t nat -A PREROUTING -i ens5 -p udp --dport 3483 -d 192.168.1.101 -j MY-SLIM fi if iptables -N MY-SLIM; then iptables -A MY-SLIM -s 192.168.1.0/24 -j ACCEPT fi if ! iptables -n -L FORWARD | grep --quiet MY-SLIM; then iptables -I FORWARD 2 -i ens5 -d 10.137.0.6 -p tcp --dport 9000 -m conntrack --ctstate NEW -j MY-SLIM # iptables -I FORWARD 2 -i ens5 -d 10.137.0.6 -p tcp --dport 3483 -m conntrack --ctstate NEW -j MY-SLIM # iptables -I FORWARD 2 -i ens5 -d 10.137.0.6 -p udp --dport 3483 -m conntrack --ctstate NEW -j MY-SLIM fi if ! nft -nn list table ip qubes-firewall | grep "tcp dport 9000 ct state new"; then touch /rw/config/QUBES-FIREWALL-USER-SCRIPT-NFT nft add rule ip qubes-firewall forward meta iifname ens5 ip daddr 10.137.0.6 tcp dport 9000 ct state new counter accept # nft add rule ip qubes-firewall forward meta iifname ens5 ip daddr 10.137.0.6 tcp dport 3483 ct state new counter accept # nft add rule ip qubes-firewall forward meta iifname ens5 ip daddr 10.137.0.6 udp dport 3483 ct state new counter accept fi ``` And here's `sys-firewall`: ``` #!/bin/sh # This script is called in AppVMs after every firewall update (configuration # change, starting some VM etc). This is good place to write own custom # firewall rules, in addition to autogenerated ones. Remember that in most cases # you'll need to insert the rules at the beginning (iptables -I) for it to be # efective. # debug touch /rw/config/QUBES-FIREWALL-USER-SCRIPT # https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world if iptables -t nat -N MY-SLIM; then sudo iptables -t nat -A MY-SLIM -j DNAT --to-destination 10.137.0.16 fi if ! iptables -t nat -n -L PREROUTING | grep --quiet MY-SLIM; then iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9000 -d 10.137.0.6 -j MY-SLIM # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3483 -d 10.137.0.6 -j MY-SLIM # iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3483 -d 10.137.0.6 -j MY-SLIM fi if iptables -N MY-SLIM; then iptables -A MY-SLIM -j ACCEPT fi if ! iptables -n -L FORWARD | grep --quiet MY-SLIM; then # FORWARD 4, or FORWARD 2 ??? iptables -I FORWARD 4 -d 10.137.0.16 -p tcp --dport 9000 -m conntrack --ctstate NEW -j MY-SLIM # iptables -I FORWARD 4 -d 10.137.0.16 -p tcp --dport 3483 -m conntrack --ctstate NEW -j MY-SLIM # iptables -I FORWARD 4 -d 10.137.0.16 -p udp --dport 3483 -m conntrack --ctstate NEW -j MY-SLIM fi if ! nft -nn list table ip qubes-firewall | grep "tcp dport 9000 ct state new"; then nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.16 tcp dport 9000 ct state new counter accept # nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.16 tcp dport 3483 ct state new counter accept # nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.16 udp dport 3483 ct state new counter accept fi ``` I've triple checked my ip addresses, and everything else I can think of! ``` [user@sys-net ~]$ ifconfig | grep -i cast ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.101 netmask 255.255.255.0 broadcast 192.168.1.255 vif21.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0 ``` ``` [user@sys-firewall ~]$ ifconfig | grep -i cast eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.137.0.6 netmask 255.255.255.255 broadcast 10.255.255.255 vif22.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0 vif23.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0 vif4.0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0 ``` If I've left out important details, let me know I'll provide them. I'd really appreciate any help! -Dave -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2caa2b1e-158e-412b-b5e2-dfce9b126ae4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.