Open input ports to access an appvm from outside

datalove · August 11, 2021, 6:18pm

Hello,
I would like to use warpinator

No problem for the installation, but impossible to communicate with my local network

I followed this guide

But I get confused and do not understand the different ip I have to enter. (10.137.1.x then 10.137.0.x and again 10.137.2.y etc… ) So it does not work!

Is there someone who is familiar with the network to explain to me which ip I have to enter?

My config :
sys-net-wlan : vif : 10.137.0.27
wls6 : 192.168.1.5

sys-fw-wlan-in : vif : 10.137.0.30
eth0 : 10.137.0.30

AppVm Warpinator : 10.137.0.18

Local Network : 192.168.1.0/24

warpinator open port 42000 tcp and udp and 42001 tcp

Merci beaucoup :

Translated with www.DeepL.com/Translator (free version)

datalove · August 17, 2021, 12:41pm

My “iptables”. Currently:
For sys-net-wlan :

$ ifconfig | grep -i cast
vif16.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.27  netmask 255.255.255.255  broadcast 0.0.0.0
vif18.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.27  netmask 255.255.255.255  broadcast 0.0.0.0
vif22.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.27  netmask 255.255.255.255  broadcast 0.0.0.0
vif24.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.0.27  netmask 255.255.255.255  broadcast 0.0.0.0
wls6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.5  netmask 255.255.255.0  broadcast 192.168.1.255

[user@sys-net-wlan-in ~]$ sudo iptables -t nat -L PREROUTING -n --line-number
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    PR-QBS     all  --  0.0.0.0/0            0.0.0.0/0           
2    PR-QBS-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0           
3    WARPINATOR  tcp  --  0.0.0.0/0            192.168.1.5          tcp dpt:42000
4    WARPINATOR  tcp  --  0.0.0.0/0            192.168.1.5          tcp dpt:42001

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID
WARPINATOR  tcp  --  anywhere             10.137.0.30          tcp dpt:42001 ctstate NEW
WARPINATOR  tcp  --  anywhere             10.137.0.30          tcp dpt:42000 ctstate NEW
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
QBS-FORWARD  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere

For sys-fw-wlan-in :

$ sudo iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
QBS-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
WARPINATOR  tcp  --  0.0.0.0/0            10.137.0.18          tcp dpt:42001 ctstate NEW
WARPINATOR  tcp  --  0.0.0.0/0            10.137.0.18          tcp dpt:42000 ctstate NEW
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain QBS-FORWARD (1 references)
target     prot opt source               destination         

Chain WARPINATOR (2 references)
target     prot opt source               destination         
ACCEPT     all  --  192.168.1.0/24       0.0.0.0/0       
    
[user@sys-fw-wlan-in ~]$ sudo iptables -t nat -L PREROUTING -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
PR-QBS     all  --  0.0.0.0/0            0.0.0.0/0           
PR-QBS-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0           
WARPINATOR  tcp  --  0.0.0.0/0            10.137.0.30          tcp dpt:42000
WARPINATOR  tcp  --  0.0.0.0/0            10.137.0.30          tcp dpt:42001

$ sudo nft list table ip qubes-firewall
table ip qubes-firewall {
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		iifname != "vif*" accept
		ip saddr 10.137.0.18 jump qbs-10-137-0-18
	}

	chain qbs-10-137-0-18 {
		ip daddr 192.168.1.0/24 accept
		ip daddr 192.168.1.20 tcp dport 42001 accept
        ip daddr 192.168.1.20 tcp dport 42000 accept
		ip daddr 192.168.1.20 udp dport 42000 accept
		ip daddr 192.168.100.0/24 accept
		ip daddr 192.168.220.0/24 accept
		ip daddr { 10.139.1.1-10.139.1.2 } tcp dport 53 accept
		ip daddr { 10.139.1.1-10.139.1.2 } udp dport 53 accept
		ip protocol icmp accept
		reject with icmp type admin-prohibited
		reject with icmp type admin-prohibited
	}
}