I am trying to set up a qube for housing differential backups (taken with restic). To do so I need to run an sftp server in this backup qube.
None of the qubes I wish to backup from are usually connected to the internet so I have cloned sys-firewall as internal-firewall and set its netvm to none. The qubes to be backed up and the backup qube itself have this internal-firewall as their netvm.
/rw/config/qubes-firewall-user-script I have:
iptables -I FORWARD 2 -s 10.137.0.0/24 -d 10.137.0.bb -j ACCEPT
allowing all local machines which are assigned it as it’s
netvm to access the backup qube (
And in the backup qubes
/etc/config/rc.local I have:
iptables -I INPUT -s 10.137.0.xx -j ACCEPT
10.137.0.xx is the machine to be backed up that I am currently testing from.
The backup qubes
/etc/ssh/sshd_config looks reasonable. Though I don’t think these last two points are essential information right now since I think whatever wall I’m hitting, I’m hitting it in the internal-firewall VM.
I can ping without issue from
bb and can see the activity with
iptables -t filter -vnL, with packets arriving on both machines, on the FORWARD chain of internall-firewall and the INPUT chain of the backup qube at the rules shown above, as well as packets on the OUTPUT chain of the backup qube, and the FORWARD chain of the internal-firewall at the rule which accepts packets with cstate RELATED,ESTABLISHED.
But when I try
ssh 10.137.0.bb from
xx I receive no route to host and only see one packet on the OUTPUT chain of internal-firewall, nothing more.
(There are no other modifications to the firewall rules on either machine but for these here.)
I expect (and am hoping) that this is a simple failing with my understanding of how iptables rules are stated, as I have had only limited experience with it until now, but hopefully somebody here has better knowledge and some insight into this and can point me in the right direction.
Thanks for the time taken to read this and for any help you can give. T.