If you have anotehr qube you need to control (like a Windows HVM) - on sys-firewall:
`sudo nft add rule ip qubes custom-forward ip saddr <IP of sys-synergy> ip daddr <IP of Windows HVM> ct state new,established,related counter accept`
I haven't looked at the rules created directly, and it does have a --persistent flag that can be used to save them. I got this all working yesterday, and wanted to get this out there for those it may help. This was a blocker for me even thinking about using Qubes on a daily basis, as I share my keyboard / mouse between my personal desktop and my work laptop. But I do like the idea of being able to compartmentalize things, so I looked to find a reasonable solution, and I think this works reasonably well. But I also acknowledge that this is still unacceptable for some.
| If you have another qube you need to control (like a Windows HVM) - on sys-firewall:
`sudo nft add rule ip qubes custom-forward ip saddr <IP of sys-synergy> ip daddr <IP of Windows HVM> ct state new,established,related counter accept`
If passed the `persistent` flag, it creates rules in `/rw/config/network-hooks.d/90-port-forward-<name>`.
I ran the script with that flag, and here are the files it created:
sys-net:
```
user@sys-net:/rw/config/network-hooks.d$ cat 90-port-forward-<sys-firewall IP>-tcp-24800.sh
#!/bin/sh
get_handle(){
chain=${1}
rule=${2}
nft --handle --stateless list chain ip qubes ${chain} | tr -d '"' | grep '^\s\+${rule} \# handle ' | awk '{print $NF}' | tr "\n" " "
}
forward_handle=$(get_handle custom-forward "iifname ens6 ip saddr <Allowed Source Network> ip daddr <sys-firewall IP> tcp dport 24800 ct state established,related,new counter accept")
if test -n "${forward_handle:-}"; then
for h in ${forward_handle}; do
nft delete rule ip qubes custom-forward handle ${h}
done
fi
dnat_handle=$(get_handle custom-pf-10-138-31-131 "iifname ens6 ip saddr <Allowed Source Network> tcp dport 24800 ct state established,related,new counter dnat to <sys-firewall IP>")
if test -n "${dnat_handle:-}"; then
for h in ${dnat_handle}; do
nft delete rule ip qubes custom-pf-10-138-31-131 handle ${h}
done
fi
nft 'add chain ip qubes custom-pf-10-138-31-131 { type nat hook prerouting priority filter +1; policy accept; }
add rule ip qubes custom-pf-10-138-31-131 iifname ens6 ip saddr <Allowed Source Network> tcp dport 24800 ct state established,related,new counter dnat to <sys-firewall IP>
add rule ip qubes custom-forward iifname ens6 ip saddr <Allowed Source Network> ip daddr <sys-firewall IP> tcp dport 24800 ct state established,related,new counter accept'
```
sys-firewall:
--- Changes are made on the DispVM template itself, as sys-firewall is disposable...
```
user@default-dvm:/rw/config/network-hooks.d$ cat 90-port-forward-<sys-synergy IP>-tcp-24800.sh
#!/bin/sh
get_handle(){
chain=${1}
rule=${2}
nft --handle --stateless list chain ip qubes ${chain} | tr -d '"' | grep '^\s\+${rule} \# handle ' | awk '{print $NF}' | tr "\n" " "
}
forward_handle=$(get_handle custom-forward "iifname eth0 ip saddr <Allowed Source Network> ip daddr <sys-synergy IP> tcp dport 24800 ct state established,related,new counter accept")
if test -n "${forward_handle:-}"; then
for h in ${forward_handle}; do
nft delete rule ip qubes custom-forward handle ${h}
done
fi
dnat_handle=$(get_handle custom-pf-10-137-0-16 "iifname eth0 ip saddr <Allowed Source Network> tcp dport 24800 ct state established,related,new counter dnat to <sys-synergy IP>")
if test -n "${dnat_handle:-}"; then
for h in ${dnat_handle}; do
nft delete rule ip qubes custom-pf-10-137-0-16 handle ${h}
done
fi
nft 'add chain ip qubes custom-pf-10-137-0-16 { type nat hook prerouting priority filter +1; policy accept; }
add rule ip qubes custom-pf-10-137-0-16 iifname eth0 ip saddr <Allowed Source Network> tcp dport 24800 ct state established,related,new counter dnat to <sys-synergy IP>
add rule ip qubes custom-forward iifname eth0 ip saddr <Allowed Source Network> ip daddr <sys-synergy IP> tcp dport 24800 ct state established,related,new counter accept'
```
sys-synergy:
```
user@sys-synergy:/rw/config/network-hooks.d$ cat 90-port-forward-<sys-synergy IP>-tcp-24800.sh
#!/bin/sh
get_handle(){
chain=${1}
rule=${2}
nft --handle --stateless list chain ip qubes ${chain} | tr -d '"' | grep '^\s\+${rule} \# handle ' | awk '{print $NF}' | tr "\n" " "
}
input_handle=$(get_handle custom-input "tcp dport 24800 ip daddr <sys-synergy IP> ct state new counter accept")
if test -n "${input_handle:-}"; then
for h in ${input_handle}; do
nft delete rule ip qubes custom-input handle ${h}
done
fi
nft add rule ip qubes custom-input tcp dport 24800 ip daddr <sys-synergy IP> ct state new counter accept
```
I got this all working yesterday, and wanted to get this out there for those it may help. This was a blocker for me even thinking about using Qubes on a daily basis, as I share my keyboard / mouse between my personal desktop and my work laptop. But I do like the idea of being able to compartmentalize things, so I looked to find a reasonable solution, and I think this works reasonably well. But I also acknowledge that this is still unacceptable for some.
|