I have a device connected over ethernet where I want that device to be able to share my machine’s wifi connection and to be able to access it from AppVMs. I’ve got the external device connected and assigned a DHCP lease reservation with a predictable IP. However, I can’t seem to access it from any domain except sys-net. If I attempt to ping it from sys-firewall or from any AppVM, I get responses back from sys-net, but the packets aren’t getting forwarded. The only modifications I’ve made to my iptables is to add a rule to INPUT in sys-net to accept connections over ethernet so that dnsmasq-dhcpd works. Adding a LOG to FORWARD shows that no packets are going out on ensX nor are there any packets with predictable IP as their destination.
What modifications do I need to make to forward packets on ensX to/from vifX? I’m guessing that there’s some kernel switch I need to throw that I don’t know about because the iptables rules seem pretty normal and reasonable. This seems like an obvious problem, but nothing I’ve been able to search or existing questions seem to concern themselves specifically with managing shared networking under NetworkManager under Qubes.
Do you have your Ethernet and Wireless controllers attached to sys-net?
Maybe you’ve assigned the IP address for your ensX interface and device connected to it to be in the same subnet as your wireless interface subnet?
Hmm… I don’t think that’s the issue. The ethernet connection is assigned an ip in 10.42/16 while the wifi is in 192.168/16
Do you have both of your Ethernet and Wireless controllers attached to sys-net?
Maybe you have some blocking firewall rules in qube connected to sys-net (sys-firewall?)?
Yeah, that was my thought as well, but I haven’t made any changes to the iptables rules in sys-firewall. Here’s the rules
[user@sys-firewall ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP 17 -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
X X ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT 1 -- vif+ * 0.0.0.0/0 0.0.0.0/0
X X ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT 0 -- vif+ * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
X X DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
X X ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
X X QBS-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
X X ACCEPT 0 -- vif+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT X packets, X bytes)
pkts bytes target prot opt in out source destination
Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
[user@sys-firewall ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT X packets, X bytes)
pkts bytes target prot opt in out source destination
X X PR-QBS 0 -- * * 0.0.0.0/0 0.0.0.0/0
X X PR-QBS-SERVICES 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT X packets, X bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
X X ACCEPT 0 -- * vif+ 0.0.0.0/0 0.0.0.0/0
X X ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
X X MASQUERADE 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
X X DNAT 17 -- * * 0.0.0.0/0 10.139.1.1 udp dpt:53 to:10.139.1.1
0 0 DNAT 6 -- * * 0.0.0.0/0 10.139.1.1 tcp dpt:53 to:10.139.1.1
X X DNAT 17 -- * * 0.0.0.0/0 10.139.1.2 udp dpt:53 to:10.139.1.2
0 0 DNAT 6 -- * * 0.0.0.0/0 10.139.1.2 tcp dpt:53 to:10.139.1.2
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
What do you have in sys-net firewall?
sys-net firewall; INPUT rule 6 is the only modification I’ve made
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP 17 -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
X X ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT 1 -- vif+ * 0.0.0.0/0 0.0.0.0/0
X X ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
X X ACCEPT 0 -- ensX * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT 0 -- vif+ * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
X X DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
X X DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
X X ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
X X QBS-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
X X ACCEPT 0 -- vif+ * 0.0.0.0/0 0.0.0.0/0
X X DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT X packets, X bytes)
pkts bytes target prot opt in out source destination
Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT X packets, X bytes)
pkts bytes target prot opt in out source destination
X X PR-QBS 0 -- * * 0.0.0.0/0 0.0.0.0/0
X X PR-QBS-SERVICES 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT X packets, X bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
X X ACCEPT 0 -- * vif+ 0.0.0.0/0 0.0.0.0/0
X X ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
X X MASQUERADE 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
X X DNAT 17 -- * * 0.0.0.0/0 10.139.1.1 udp dpt:53 to:192.168.X.1
0 0 DNAT 6 -- * * 0.0.0.0/0 10.139.1.1 tcp dpt:53 to:192.168.X.1
0 0 DNAT 17 -- * * 0.0.0.0/0 10.139.1.2 udp dpt:53 to:192.168.X.1
0 0 DNAT 6 -- * * 0.0.0.0/0 10.139.1.2 tcp dpt:53 to:192.168.X.1
Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
Maybe you have Qubes Firewall configured?
What’s the output of this command in sys-net?
sudo nft list table qubes-firewall
I have no idea how to use nftables, but here’s the output of the command you posted
[user@sys-net ~]$ sudo nft list table qubes-firewall
table ip qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != "vif*" accept
ip saddr 10.138.35.38 jump qbs-10-138-35-38
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifname != "vif*" ip saddr 10.138.35.38 drop
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
oifname != "vif*" ip daddr 10.138.35.38 drop
}
chain qbs-10-138-35-38 {
accept
reject with icmp admin-prohibited
}
}
Firewall rules looks ok.
I can only suggest to check the packets with tcpdump in sys-net to see what’s coming from sys-firewall when you try to ping your device connected over ethernet in sys-firewall.
Thanks, I’ll try that. In the meantime, hopefully somebody else has insights into what my be the cause of this? This is a pretty new Qubes install, so it’s not like I’ve gone wild with customizing things (yet).