These are settings I've used:
sys-net:
route traffic from outside to sys-firewall
sudo iptables -t nat -A PREROUTING -i wls7 -p tcp --dport 51413 -d 192.168.1.25 -j DNAT --to-destination 10.137.0.6
open firewall for traffic from sys-net
sudo iptables -I FORWARD 2 -i wls7 -d 10.137.0.6 -p tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT
sudo nft add rule ip qubes-firewall forward meta iifname wls7 ip daddr 10.137.0.6 tcp dport 51413 ct state new counter accept
sys-firewall:
route traffic from sys-net to sys-firewall
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 51413 -d 10.137.0.6 -j DNAT --to-destination 10.137.0.19
open traffic in firewall
sudo iptables -I FORWARD 2 -i eth0 -d 10.137.0.19 -p tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT
sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr
192.168.1.25/24 ip daddr 10.137.0.19 tcp dport 51413 ct state new counter accept
transmission-vm:
/rw/config/rc.local
######################
# My service filtering
# Create a new firewall filtering chain for my service
if iptables -w -N MY-HTTPS; then
# Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times)
iptables -w -A MY-HTTPS -j ACCEPT
fi
# If no input rule exists for my service
if ! iptables -w -n -L INPUT | grep --quiet MY-HTTPS; then
# add a forward rule for the traffic (same reason)
iptables -w -I INPUT 5 -d 10.137.0.6 -p udp --dport 51413 -m conntrack --ctstate NEW -j MY-HTTPS
iptables -w -I INPUT 5 -d 10.137.0.6 -p tcp --dport 51413 -m conntrack --ctstate NEW -j MY-HTTPS
fi
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐