Hello,
I made a script to ease the work of doing a NAT to expose a qube port to the physical network interface. I wrote a blog post about it. I often need to do that when developing.
https://dataswamp.org/~solene/2024-03-06-qubes-os-nat.html
Source code available on sourcehut: https://git.sr.ht/~solene/qubes-os-nat
It takes 2 mandatory parameters and 1 optional parameter:
tcp or udp, tcp by defaultThe script will crawl the qube netVm up to the last netvm holding the physical interface, even if it's not named sys-net, and establish the port redirection on all netvm in the path.
The script does not alter qvm-firewall rules, so if you blocked all ports, the redirection will not bypass the firewall. This is on purpose.
The redirection is temporary, if you reboot a qube in the network path or the qube itself, the redirection will stop working. If you want a permanent redirection, you should script your qubes to do so.
A simple method to copy the script to dom0 is to run this command on dom0:
qvm-run --pass-io sys-firewall "curl https://git.sr.ht/~solene/qubes-os-nat/blob/master/nat.sh" > nat.sh
chmod +x nat.sh
You can put the script wherever you prefer.
If you want to expose port TCP 8080 of a qube named Server type:
./nat.sh Server 8080 tcp
It also works for UDP, replace tcp with udp in the command line.
Currently, there is no way to undo added rules, this is not a huge issue as rebooting remove the rules, but it's not nice. The rules are added at the top of the related chains, so if you run the script to forward the same port you used before to another qube, it will have a higer priority over the older rules. 👍