Port forwarding between sys-vpn and app-vm

I’m reading Firewall | Qubes OS page and I have some troubles with it.

I’d like to be able to connect from the network on sys-vpn’s tun0 interface to the services listening on app vm eth0 interface (multiple ports). How can I do that?

Below is simple diagram how it looks like:

sys-net <-> sys-firewall <-> sys-vpn (eth0, tun0) <-> app vm (eth0)

sys-vpn eth0:
sys-vpn tun0:

app vm eth0:
- ports: 3333, 4444, 5555

You need to open the ports on app, to allow inbound traffic.
How you do this will depend on what temlate you are using (and therefore
whether iptables or nft are relevant.)

thanks for the hint and sorry for not giving enough details - App VM is Parrot OS, sys-vpn is Debian 11 minimal.

Allowing inbound traffic on App VM will be enough or should I also make some NAT rules (like on firewall page) to route packets between tun0 → eth0 on sys-vpn → eth0 on App VM?

Were you ever able to solve this issue? I’m having the exact same problem with my chain of vms when I’m trying to set up a netcat reverse shell using the kali template. I’m setting up the exploit to connect back to my tryhackme vpn vm. I then would like to forward that traffic to my kali vm sitting behind the vpn vm, so the 2nd part to the tcp 3 way handshake can be established and a syn,ack tcp packet can be sent back to the target machine. I seem to be having trouble after this.