Connecting a Qube to the LAN

User Support
1

I’m trying to set up a media server Qube and am trying to figure out how to expose it to my network. I’m looking at the documentation (Firewall | Qubes OS), which gives an example where

“we can take the use case of a web server listening on port 443 that we want to expose on our physical interface eth0, but only to our local network 192.168.x.0/24.”

This sounds like exactly what I’m looking for. When I get to this command,

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.y -j DNAT --to-destination 10.137.1.z

“dport” is not recognized. I assume this means destination port, and I scoured the man page for iptables and see no reference to setting the destination port. Is this method perhaps out of date?

Or perhaps a better question to ask would be, is this the proper way to go about exposing a media server from one Qube to my LAN?

2

You can use Qrexec for this.

In dom0, create a new policy /etc/qubes/policy.d/50-user-networking.policy including:

# Replace "1111" with the media server port
qubes.ConnectTCP +1111 sys-net @default allow target=mediaserverqube

In sys-net, execute the following commands:

# Replace "1111" with the media server port
# Qubes 4.2
sudo nft add rule ip qubes input tcp dport 1111 accept
qvm-connect-tcp 1111:@default:1111

# Qubes 4.1
sudo iptables -I INPUT -p tcp --dport 1111 -j ACCEPT
qvm-connect-tcp 1111:@default:1111

From an external device on the same network, access the media server with sys-net local IP and the media server port that was open.

3

Thank you for the reply, I will try to implement this.

Do you know if this method still allows for UPnP? Assuming the server has it implemented, etc.

4

This implementation only works one way (external → sys-net → qube) and for 1 port at a time.
If you create a new policy rule in the same file and do the same thing for the required UPnP port, it may work but not sure.

Edit: Forgot UPnP was UDP. You can’t use this since it’s only working with TCP.

5

Yeah…, can relate. It is in man iptables-extensions

1 Like