Hello, I’m desperately trying to configure nftables and I would really appreciate your help
I’m trying to setup VNC connection via LAN with another physical debian device
It was pretty simple with iptables:
VNC server on physical device → AppVM with VNC client → netVM which sets LAN connection → sys-firewall
- connect both devices with LAN cable
- connect ethernet controller to netVM
- enable options “provide network” & “network-manager”
- create ethernet connection in network-manager, IPv4 Settings - Share to other computers
- check if it works on physical device by command “ip a” and try to use browser → if everything is ok, you now have an internal ip address & internet works in browser
First problem appeared on this stage. It worked flawlessly with iptables (you can see I don’t even interact with it now), but it simply doesnt work with nftables.
However, I was able to solve it by doing this:
nft flush ruleset
table ip filter {
chain output {
type filter hook output priority 100; policy accept;
}
chain input {
type filter hook input priority 100; policy accept;
}
chain forward {
type filter hook forward priority 100; policy accept;
}
}
That is absolutely not elegant solution, but it works. I would like to hear what is the right approach for it.
Next problem:
Now in netVM I would use a single iptables rule:
iptables -I FORWARD -i vif+ -o *ethernet controller name* -j ACCEPT
Then I would simply go to AppVM and ssh to physical device with command:
ssh *internal ip of physical device* -L 9901:localhost:5901
And that’s it. Then I could use VNC client and finish my setup.
So, now I’ve tried to use iptables-translate and got this:
insert rule ip filter FORWARD iifname "vif*" oifname "ethernet controller name" counter accept
Unfortunately, it doesnt work and ssh simply gives up on connection with “connection timed out”.
I’m stuck on this stage because nftables is too hard for me (I was barely able to use iptables), I have zero idea how Qubes firewall works now and honestly very disappointed with this decision.