I couldn’t find a qvm-forward-iptables script for R4.2 anywhere so I tried to do it the manual way as explained here:
(see the Port forwarding to a qube from the outside world section)
I followed the guide step by step twice but it doesn’t work. Testing with telnet, I went from instant “connection refused” (expected behavior of a closed port) to an indefinite timeout (meaning at least the sys-net part worked.)
The part things start to go wrong for me is where it says to check the counters with nft list table ip qubes-firewall. I do not see the entry for custom-dnat-qubeDEST as the guide expects.
Can somebody give me a hand? Back in R4.0 I had a script for this I got off github but I can’t find an updated version for R4.2.
edit: I am testing from 192.168.x.y/24 (192.168.1.0/24) as the guide expects
edit 2: thanks whoever pushed the nftables update by the way; now every time i work with my network I have to think about overpriced monkey jpegs
Your script halfway did the trick! The service qube is now receiving connections, however it is not able to talk back to the client. I believe this is a problem on the service qube end, but I’m not sure. I had this problem as well in R4.0 and had a command to fix it, but it was an iptables command and iptables is gone
this is not related to nftables, but if your VPN is providing a kill switch you will have to add rules too.
I made a script to generate the routes + rules
#!/bin/sh
# variables
## list routes to go through the gateway
ROUTES="192.168.1.0"
# code
GW=$(ip r | grep ^default | grep "dev eth0" | cut -d ' ' -f 3)
for i in $ROUTES
do
ip route add "$i" via "$GW" metric 5
done
for i in "$IPS_TO_ALLOW"
do
nft insert rule qubes custom-forward ip daddr $i counter accept
done