Problems with port forwarding: no audio for ip telephony

User Support
1

After experiencing that IP telephony with Linphone only works in sys-net, but not in the App-VM, I set up port forwarding for ports 5061 and 7080 (udp protocol) according to the instructions on Qubes-OS.org for Qubes 4.1. Calls could be made and received with Linphone in the AppVM, but nobody heard any sound. This is still the case after setting up port forwarding.

7080 is the port used by Linphone for audio transmission. I tried the following commands one after the other without success. Does anyone know what the problem is?

192.168.54.20/24 is the ip i got for ens6 by running “ip -4 -br a | grep UP” in sys-net. (By running “ip route” I get 192.168.54.1.)
10.138.11.288 is the ip of sys-firewall.
10.137.0.99 is the ip of the AppVM.

#In sys-net
sudo iptables -t nat -A PREROUTING -i ens6 -p udp --dport 5061 -d 192.168.54.20/24 -j DNAT --to-destination 10.138.11.288
sudo iptables -I FORWARD 2 -i ens6 -d 10.138.11.288 -p udp --dport 5061 -m conntrack --ctstate NEW -j ACCEPT

sudo iptables -t nat -A PREROUTING -i ens6 -p udp --dport 7080 -d 192.168.54.20/24 -j DNAT --to-destination 10.138.11.288
sudo iptables -I FORWARD 2 -i ens6 -d 10.138.11.288 -p udp --dport 7080 -m conntrack --ctstate NEW -j ACCEPT


#In sys-firewall

sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5061 -d 10.138.11.288 -j DNAT --to-destination 10.137.0.99
sudo iptables -I FORWARD 2 -i eth0 -s 192.168.54.20/24 -d 10.137.0.99 -p udp --dport 5061 -m conntrack --ctstate NEW -j ACCEPT

sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport 7080 -d 10.138.11.288 -j DNAT --to-destination 10.137.0.99
sudo iptables -I FORWARD 2 -i eth0 -s 192.168.54.20/24 -d 10.137.0.99 -p udp --dport 7080 -m conntrack --ctstate NEW -j ACCEPT

#In AppVM:


if sudo iptables -w -N MY-5061; then
sudo iptables -w -A MY-5061 -j ACCEPT
fi

if ! sudo iptables -w -n -L INPUT | grep --quiet MY-5061; then
sudo iptables -w -I INPUT 5 -d 10.137.0.99 -p udp --dport 5061 -m conntrack --ctstate NEW -j MY-5061
fi


if sudo iptables -w -N MY-7080; then
sudo iptables -w -A MY-7080 -j ACCEPT
fi

if ! sudo iptables -w -n -L INPUT | grep --quiet MY-7080; then
sudo iptables -w -I INPUT 5 -d 10.137.0.99 -p udp --dport 7080 -m conntrack --ctstate NEW -j MY-7080
fi
2

Change 192.168.54.20/24 to 192.168.54.20.
You need to add the rules to qubes-firewall forward chain using nftables as well, e.g.:

nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.1.z tcp dport 443 ct state new counter accept
3

Thank you for your support. Do I have to run the nft command only in sys-net? I would run it in sys-net with ens6 like this:

nft add rule ip qubes-firewall forward meta iifname ens6 ip daddr 10.138.11.288 udp dport 7080 ct state new counter accept
4

You need to add the qubes-firewall rule in sys-firewall as well:

nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.x.0/24 ip daddr 10.137.0.xx tcp dport 443 ct state new counter accept
5

Okay, I restarted sys-net, sys-firewall and AppVM, tried all again, but with 192.168.54.20 instead 192.168.54.20/24 and ran …

… in sys-net (with ens6):

sudo nft add rule ip qubes-firewall forward meta iifname ens6 ip daddr 10.138.11.288 udp dport 5061 ct state new counter accept
sudo nft add rule ip qubes-firewall forward meta iifname ens6 ip daddr 10.138.11.288 udp dport 7080 ct state new counter accept

in sys-firewall (with eth0):

sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.10.20/24 ip daddr 10.137.0.99 udp dport 5061 ct state new counter accept
sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.10.20/24 ip daddr 10.137.0.99 udp dport 7080 ct state new counter accept

But no success. Maybe I have to use the ip of sys-net-VM instead of 192.168.10.20/24 in sys-firewall-VM?

6

It should be 192.168.10.0/24 but 192.168.10.20/24 is effectively the same.

7

Also do you have 192.168.54.0/24 subnet or 192.168.10.0/24?

8

You can forward all tcp/udp ports from sys-net to your Linphone qube for a test to make sure that you didn’t miss the ports that are used by Linphone.
You can configure the range as:
iptables:

--dports 1:65535

nftables:

dport 1-65535
9

I wrote 192.168.10.20/24 here, but that was just a typo. 192.168.54.20/24 is correct.

I restarted the VMs and tried to forward the whole range of ports like this but no change:

#In sys-net
sudo iptables -t nat -A PREROUTING -i ens6 -p udp --dport 1:65535 -d 192.168.54.0 -j DNAT --to-destination 10.138.11.288
sudo iptables -I FORWARD 2 -i ens6 -d 10.138.11.288 -p udp --dport 1:65535 -m conntrack --ctstate NEW -j ACCEPT

sudo nft add rule ip qubes-firewall forward meta iifname ens6 ip daddr 10.138.11.288 udp dport 1-65535 ct state new counter accept

#In sys-firewall

sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1:65535 -d 10.138.11.288 -j DNAT --to-destination 10.137.0.99
sudo iptables -I FORWARD 2 -i eth0 -s 192.168.54.0 -d 10.137.0.99 -p udp --dport 1:65535 -m conntrack --ctstate NEW -j ACCEPT

sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.54.0/24 ip daddr 10.137.0.99 udp dport 1-65535 ct state new counter accept

#In AppVM:

# My service filtering
# Create a new firewall filtering chain for my service
if sudo iptables -w -N MY-5060; then

# Add a filtering rule if it did not exist (to avoid clutter if script executed multiple times)
  sudo iptables -w -A MY-5060 -j ACCEPT
fi

# If no input rule exists for my service
if ! sudo iptables -w -n -L INPUT | grep --quiet MY-5060; then
# add a forward rule for the traffic (same reason)
  sudo iptables -w -I INPUT 5 -d 10.137.0.99 -p udp --dport 1:65535 -m conntrack --ctstate NEW -j MY-5060
fi

linphone
10

Try to test the port forwarding with netcat or telnet from the external device in the same LAN as was suggested in the guide.

11

Telnet says, connection to port 5061 works but connection to audio port 7080 refused. But if I use linphone in sys-net, audio works although the connection to audio port is denied.

12

Then port forwarding seems to work.
The problem may be in some Linphone configuration.
Maybe Linphone is using internal qube IP address 10.137.0.x when it should use your LAN IP 192.168.54.20 instead.
Or something similar.
This is already not a Qubes OS issue and it’d be easier to find a solution to this issue by broadening your search queries to something like:
How to use Linphone behind NAT with port forwarding

1 Like
13

A little note:
The qubes-firewall table is managed by the qubes-firewall service and should not be used for custom rules. You must use the qubes table and the custom-forward chain instead.

14

That’s for Qubes OS 4.2.
OP has Qubes OS 4.1.

15

I thought it was about 4.2 since some nftables rules were posted. Since he is using 4.1, there’s no need to use any nftables rules since everything is using iptables. That’s why I was confused.

16

Seems that the Qubes OS 4.1 firewall guide is very outdated and nft rules are no longer needed as well there.:

In Qubes R4, at the moment (QubesOS/qubes-issues#3644), nftables is also used which imply that additional rules need to be set in a qubes-firewall nft table with a forward chain.

nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.1.z tcp dport 443 ct state new counter accept

But this was fixed long ago and no longer needed for Qubes OS 4.1 as well: