How do people port forward on the latest Qubes? The official firewall guide doesn't work

I couldn’t find a qvm-forward-iptables script for R4.2 anywhere so I tried to do it the manual way as explained here:

(see the Port forwarding to a qube from the outside world section)

I followed the guide step by step twice but it doesn’t work. Testing with telnet, I went from instant “connection refused” (expected behavior of a closed port) to an indefinite timeout (meaning at least the sys-net part worked.)

The part things start to go wrong for me is where it says to check the counters with nft list table ip qubes-firewall. I do not see the entry for custom-dnat-qubeDEST as the guide expects.

Can somebody give me a hand? Back in R4.0 I had a script for this I got off github but I can’t find an updated version for R4.2.

edit: I am testing from 192.168.x.y/24 ( as the guide expects

edit 2: thanks whoever pushed the nftables update by the way; now every time i work with my network I have to think about overpriced monkey jpegs

I wrote a script that does the job for you

I’d be glad to help you otherwise, I wrote the firewall documentation update for nftables.

1 Like

Your script halfway did the trick! The service qube is now receiving connections, however it is not able to talk back to the client. I believe this is a problem on the service qube end, but I’m not sure. I had this problem as well in R4.0 and had a command to fix it, but it was an iptables command and iptables is gone

does that qube have a VPN? If so, you need to define a route for your local network through its netvm gateway with a low metric.

Otherwise, I need some more information about the setup to help you.

If you need to figure it alone, tcpdump and wireshark are your friends :+1:

Ineed the qube does have a VPN connection enabled. How would I define that route in nftables?

this is not related to nftables, but if your VPN is providing a kill switch you will have to add rules too.

I made a script to generate the routes + rules


# variables

## list routes to go through the gateway

# code
GW=$(ip r | grep ^default | grep "dev eth0" | cut -d ' ' -f 3)

for i in $ROUTES
    ip route add "$i"  via "$GW" metric 5

for i in "$IPS_TO_ALLOW"
  nft insert rule qubes custom-forward ip daddr $i counter accept
1 Like

Hey that solved it!! Thanks so much! (Script was just missing the /24 in $ROUTES)

I did my killswitch the qubes way btw :wink: firewall in qube settings

1 Like