[Qubes OS 4.2] Easily NAT qubes port to external network


I made a script to ease the work of doing a NAT to expose a qube port to the physical network interface. I wrote a blog post about it. I often need to do that when developing.

Source code available on sourcehut: ~solene/qubes-os-nat - sourcehut git

It takes 2 mandatory parameters and 1 optional parameter:

  1. qube name
  2. port number
  3. protocol, either tcp or udp, tcp by default

The script will crawl the qube netVm up to the last netvm holding the physical interface, even if it’s not named sys-net, and establish the port redirection on all netvm in the path.

The script does not alter qvm-firewall rules, so if you blocked all ports, the redirection will not bypass the firewall. This is on purpose.

The redirection is temporary, if you reboot a qube in the network path or the qube itself, the redirection will stop working. If you want a permanent redirection, you should script your qubes to do so.


A simple method to copy the script to dom0 is to run this command on dom0:

qvm-run --pass-io sys-firewall "curl https://git.sr.ht/~solene/qubes-os-nat/blob/master/nat.sh" > nat.sh
chmod +x nat.sh

You can put the script wherever you prefer.


If you want to expose port TCP 8080 of a qube named Server type:

./nat.sh Server 8080 tcp

It also works for UDP, replace tcp with udp in the command line.


Currently, there is no way to undo added rules, this is not a huge issue as rebooting remove the rules, but it’s not nice. The rules are added at the top of the related chains, so if you run the script to forward the same port you used before to another qube, it will have a higer priority over the older rules. :+1:


[irrelevant comment retracted]

1 Like


I have a follow-up question.

How do I only allow TCP while denying all access to UDP and SSH? I know this can be done on the LAN in routers’ policies, but I also believe in layering security so I would like the redundancy across all entry points on the network such as the entire OS of Qubes and/or individual VMs to have that restriction in the sys-firewall policy as well.

Is there a guide for that too already, and if so where?

Your question seems to be unrelated to this topic.
Read this:


Okay thanks


TLDR; Qubes OS blocks all incoming ports by default, on every qubes.

1 Like