Qubes OS 4.2 nftables / nft firewall guide

Original forum link

https://forum.qubes-os.org/t/20933

Original poster

Solène R

Created at

2023-09-14 09:14:02

Posts count

84

Likes count

41

Hi!

I started fiddling with NFT on Qubes OS 4.2 and the official documentation is quite bad in this area. Let's gather material here so we could enhance the documentation once we have enough content.

Port forwarding from outside to a qube

I got port forwarding to work, that wasn't easy as the default ruleset didn't have a chain for the nat rules. I made a simple script where you just have to fill the port and the destination.

Typically, you would do:

• run the snippet Forwarding in sys-net using sys-firewall IP as a destination
• run the snippet Forwarding in sys-firewall using the qube IP as a destination
• run the snippet Accept only in the destination qube

This is an example for a TCP redirection, for UDP you would have to replace tcp by udp.

Forwarding

#!/bin/sh

PORT=8000
DESTINATION=10.138.0.52

if ! nft -nn list table ip qubes | grep "chain nat {" ; then
    nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
fi
nft add rule qubes custom-input tcp dport "${PORT}" accept
nft add rule qubes custom-forward tcp dport "${PORT}" accept
nft add rule qubes nat iifname != "vif*" tcp dport "${PORT}" dnat "${DESTINATION}"

Accept only

#!/bin/sh

PORT=8000

nft add rule qubes custom-input tcp dport "${PORT}" accept