Networking Two Qubes: Web Server (web-serv) and Client Browser (client-brows)

User Support General
, , ,
1

I’ve seen variations on a theme for this, but I can’t seem to get it to work…

Goal: I am developing a Wordpress site and trying to configure Qubes-OS to use two qubes:

  • web-serv - this is a debian-12-xfce standalone cube running Local and MySQL (and is working as expected via localhost in the qube’s browser)
  • client-brows - a debian-12-xfce appvm with various browsers to test the site

I need to configure Qubes’ system network/firewall so I can expose the web server cube via port 10004, and connect to it using my client qube via the browser http://10.137.0.33:10004

I’m stuck on the networking part.

I followed the Firewall docs and was unsuccessful.

So…I walked through the Firewall docs and setup two new qubes, per the section Enabling networking between two qubes

Even with this simple exercise, I couldn’t get qube-a (10.137.0.33) to ping qube-b (10.137.0.34).

I used these directions:

In order to allow networking between qubes A and B follow these steps:

  • Make sure both A and B are connected to the same firewall vm (by default all VMs use the same firewall VM).
  • Note the Qubes IP addresses assigned to both qubes. This can be done using the qvm-ls -n command, or via the Qubes Manager preferences pane for each qube.
  • Start both qubes, and also open a terminal in the firewall VM
  • In the firewall VM’s terminal enter the following iptables rule:
sudo iptables -I FORWARD 2 -s <IP address of A> -d <IP address of B> -j ACCEPT
  • In qube B’s terminal enter the following iptables rule:
sudo iptables -I INPUT -s <IP address of A> -j ACCEPT

I’m assuming that once I figure out how to make the Firewall example work, I will be able to do the same with my specific use-case.

Please help!

  • rdt

System Specs:
Both qubes use sys-firewall (which I edited per the Firewall docs)
Both qubes-settings-firewall have no restrictions
QubesOS version: R4.2.0-rc4
BIOS: N75 Ver. 01.33
Kernel: 6.1.57-1

2

The Enabling networking between two qubes guide is outdated for Qubes OS 4.2 because firewall have switched to nftables instead of iptables:

Known issues

  • DomU firewalls have completely switched to nftables. Users should add their custom rules to the custom-input and custom-forward chains. (#5031, #6062)

You can follow this guide to open a single TCP port to other qube using qubes RPC service instead of enabling networking between two qubes:

1 Like
3

That did the trick! Thank you!

Specifically:

For allowing qube-a to connect/network to qube-b

sys-firewall (terminal)

sudo nft add rule ip qubes custom-forward ip saddr <IP address of A> ip daddr <IP address of B> ct state new,established,related counter accept

qube-b (terminal)

sudo nft add rule qubes custom-input ip saddr <IP address of A> ct state new,established,related counter accept

Now my qube-a can ping qube-b successfully.

AND, more importantly, I can troubleshoot my client → server setup!

2 Likes
4

@revdavethompson Thanks for sharing what worked for you in detail! Those are the little things that the next person in your situation will appreciate.

I marked @apparatus’s post as the solution, so future folks (and our future selves!) can see that the topic includes a solution, and get a highlight of that solution in the first post.

If you want yo do that in the future, it’s something that you can do yourself by using the little “checkbox” icon at the bottom of the post that you want to mark as the solution. Welcome to the forum! :slightly_smiling_face:

1 Like
5

The solution didn’t work for me. I created a new firewall VM (tmp-fw), and two new A and B VMs (tmp-a and tmp-b) using debian-12-xfce template with Kicksecure for the 3 of them.

Despite the nft commands, I cannot ping tmp-b from tmp-a.

Actually I cannot even ping tmp-fw from tmp-a or tmp-b.

EDIT: it works after I enabled ICMP packages in the KIcksecure template.