I started fiddling with NFT on Qubes OS 4.2 and the official documentation is quite bad in this area. Let’s gather material here so we could enhance the documentation once we have enough content.
Port forwarding from outside to a qube
I got port forwarding to work, that wasn’t easy as the default ruleset didn’t have a chain for the nat rules. I made a simple script where you just have to fill the port and the destination.
Typically, you would do:
run the snippet Forwarding in sys-net using sys-firewall IP as a destination
run the snippet Forwarding in sys-firewall using the qube IP as a destination
run the snippet Accept only in the destination qube
This is an example for a TCP redirection, for UDP you would have to replace tcp by udp.
I didn’t try yet, but from the current documentation, that the same steps except:
you would need to forward only for a source address (otherwise all the other qubes would be allowed to reach that qube) AND only forward for internal qubes interfaces, so the rule would be a bit different, maybe something like this
#!/bin/sh
# allows qube $SOURCE to reach $DESTINATION on port $PORT
PORT=8000
DESTINATION=10.137.0.16
SOURCE=10.137.0.15
if ! nft -nn list table ip qubes | grep "chain nat {" ; then
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
fi
nft add rule qubes custom-input ip saddr "${SOURCE}" tcp dport "${PORT}" accept
nft add rule qubes custom-forward ip saddr "${SOURCE}" tcp dport "${PORT}" accept
nft add rule qubes nat iifname "vif*" tcp dport "${PORT}" dnat "${DESTINATION}"