Port forwarding between sys-vpn and app-vm

I’m reading Firewall | Qubes OS page and I have some troubles with it.

I’d like to be able to connect from the network on sys-vpn’s tun0 interface to the services listening on app vm eth0 interface (multiple ports). How can I do that?

Below is simple diagram how it looks like:

sys-net <-> sys-firewall <-> sys-vpn (eth0, tun0) <-> app vm (eth0)

sys-vpn eth0:
sys-vpn tun0:

app vm eth0:
- ports: 3333, 4444, 5555

You need to open the ports on app, to allow inbound traffic.
How you do this will depend on what temlate you are using (and therefore
whether iptables or nft are relevant.)

thanks for the hint and sorry for not giving enough details - App VM is Parrot OS, sys-vpn is Debian 11 minimal.

Allowing inbound traffic on App VM will be enough or should I also make some NAT rules (like on firewall page) to route packets between tun0 → eth0 on sys-vpn → eth0 on App VM?