I’d like to make 2 qubes/domains to communicate each other with iptables.
I used this link but still not working: Firewall | Qubes OS
Now, I don’t use sys-firewall for them, I’m using sysfirewall-vpn-tor.
I added that iptables rules in all of them:
and allowing INPUT for source in qube 2, but still I can’t ping it from qube 1.
Is it there something else that I need to do?
I want to point to that I can’t ping anything actually … .e.g google.com
But I’m having internet [can surf via Browser]
Qube 1: Kali [from a debian template]
Qube 2: Lab
if I’m using sys-firewall I’ll be able to do so … but not if I’m using multiple hops - sys-firewal → vpn → tor
deleted
What netvm are these two Qubes attached to? Is it the same? It has to be the same, otherwise it won’t work.
Yes same.;
Are on a custom netvm that will go as described above:
I know if 'll switch to only net-firewall it will work but I want to make this working with this config.
Is it there a way?
Yes same.;
Are on a custom netvm that will go as described above:
- tor [sys-whonix] → vpn → net-firewall
I know if 'll switch to only net-firewall it will work but I want to make this working with this config.
Is it there a way?
I have no idea what you are trying to do.
Before you said:
sys-firewal → vpn → tor
And now you say:
tor [sys-whonix] → vpn → net-firewall
You were asked which netvm the qubes were attached to, and you didnt
answer that question. Answer that question.
I dont recommend changing firewall rules at random, as you seem to have
done. Revert the changes that you have made.
Identify the qube that both qubes are using as their netvm. That is
where you will need to make changes. No where else.
You mean:
qube a → sys-whonix → sys-vpn → sys-firewall → sys-net
qube b ----^
Right? In which case I thing sys-whonix might be blocking your attempts. An easy way to check is to clone sys-firewall into sys-tor-firewall and set it’s netvm to sys-whonix and connect your qubes a & b to sys-tor-firewall.
That should work then, but you loose the stream isolation of whonix/tor because both qube’s traffic will go through sys-tor-firewall which is the only qube whonix will see.
If you do want stream isolation and the connection between the qubes is a specific port only you could try and use the qubes.ConnectTCP method:
@Sven yes you’re right.
So what I did is:
sys-vpnie-tor qube based on whonix-gw-15 template with NetVM sys-vpn-ie
sys-vpn-ie is a vpn qube - based on fedora template with NetVM based on sys-firewall
Qube A and B are based [both] on sys-vpnie-tor
Now, using that connection that you said is not so helpfull because:
Is it there a better way with that setup?
Yes
Depending on your use case also:
If you don’t mind me asking: since this is “just” a lab, why do you bother to connect them to the internet at all? You can set the new proxy qubes netvm to ‘’ and your lab will still work. It’ll effectively be an internal network without connection to the Internet. What do you hope to achieve by connecting it to TOR?
Whohoo. That worked.
Because there are lots of things that I don’t understand so I’m using Kali to search on the internet.
Thank you