Hello,
I made a script to ease the work of doing a NAT to expose a qube port to the physical network interface. I wrote a blog post about it. I often need to do that when developing.
Source code available on sourcehut: ~solene/qubes-os-nat - sourcehut git
It takes 2 mandatory parameters and 1 optional parameter:
- qube name
- port number
- protocol, either
tcporudp, tcp by default
The script will crawl the qube netVm up to the last netvm holding the physical interface, even if it’s not named sys-net, and establish the port redirection on all netvm in the path.
The script does not alter qvm-firewall rules, so if you blocked all ports, the redirection will not bypass the firewall. This is on purpose.
The redirection is temporary, if you reboot a qube in the network path or the qube itself, the redirection will stop working. If you want a permanent redirection, you should script your qubes to do so.
Installation
A simple method to copy the script to dom0 is to run this command on dom0:
qvm-run --pass-io sys-firewall "curl https://git.sr.ht/~solene/qubes-os-nat/blob/master/nat.sh" > nat.sh
chmod +x nat.sh
You can put the script wherever you prefer.
Usage
If you want to expose port TCP 8080 of a qube named Server type:
./nat.sh Server 8080 tcp
It also works for UDP, replace tcp with udp in the command line.
Limitations
Currently, there is no way to undo added rules, this is not a huge issue as rebooting remove the rules, but it’s not nice. The rules are added at the top of the related chains, so if you run the script to forward the same port you used before to another qube, it will have a higer priority over the older rules. 