Networking between Linux and Windows VMs
93 views
Skip to first unread message
Micah Lee
Sep 4, 2016, 1:50:24 PM9/4/16
to qubes-users
I've installed Windows 10 in an HVM (called dev-win10), and I'd like to
be able to connect to its RDP service from a Linux VM (called dev).
The documentation [1] says both VMs need the same netvm, and in that
netvm I need to enable an iptables rule to let dev communicate with
dev-win10:
iptables -I FORWARD 2 -s $DEV -d $DEV_WIN10 -j ACCEPT
Then in the VM that will hosting the service, dev-win10 in this case, I
need to allow incoming connections from the source IP:
iptables -I INPUT -s $DEV -j ACCEPT
This seems to work fine if the VM hosting the service is Linux. Since
it's Windows I obviously just need to allow access using the Windows
Firewall instead of with iptables.
It sure seems like I'm allowing all inbound connections to the Remote
Desktop service in the Windows Firewall [2], however when I try
connecting to it from dev it times out.
I've also tried running a simple http server using python3:
python3 -m http.server
And I allowed python.exe through the Windows firewall, but I can't
connect to that service either. When I try the same experiment in a
Linux VM, I can connect to it fine from dev.
Any idea what I'm missing?
[1] https://www.qubes-os.org/doc/qubes-firewall/#tocAnchor-1-1-4
[2] https://i.imgur.com/PyrKLAm.png
be able to connect to its RDP service from a Linux VM (called dev).
The documentation [1] says both VMs need the same netvm, and in that
netvm I need to enable an iptables rule to let dev communicate with
dev-win10:
iptables -I FORWARD 2 -s $DEV -d $DEV_WIN10 -j ACCEPT
Then in the VM that will hosting the service, dev-win10 in this case, I
need to allow incoming connections from the source IP:
iptables -I INPUT -s $DEV -j ACCEPT
This seems to work fine if the VM hosting the service is Linux. Since
it's Windows I obviously just need to allow access using the Windows
Firewall instead of with iptables.
It sure seems like I'm allowing all inbound connections to the Remote
Desktop service in the Windows Firewall [2], however when I try
connecting to it from dev it times out.
I've also tried running a simple http server using python3:
python3 -m http.server
And I allowed python.exe through the Windows firewall, but I can't
connect to that service either. When I try the same experiment in a
Linux VM, I can connect to it fine from dev.
Any idea what I'm missing?
[1] https://www.qubes-os.org/doc/qubes-firewall/#tocAnchor-1-1-4
[2] https://i.imgur.com/PyrKLAm.png
Connor Page
Sep 5, 2016, 5:44:05 PM9/5/16
to qubes-users
they should be connected to the same firewallvm, not netvm. iptables in netvms are set up differently.
Micah Lee
Sep 5, 2016, 6:04:27 PM9/5/16
to qubes...@googlegroups.com
On 09/05/2016 02:44 PM, Connor Page wrote:
> they should be connected to the same firewallvm, not netvm. iptables in netvms are set up differently.
They are connected to the same firewallvm. And I've successfully gotten
> they should be connected to the same firewallvm, not netvm. iptables in netvms are set up differently.
networking working between two Linux VMs using this firewallvm. It's
just not working with one of the VMs being a Windows HVM.
Daniel Wilcox
Sep 5, 2016, 6:23:42 PM9/5/16
to Micah Lee, qubes-users
Hi Micah, you're taking the opposite the usual strategy I do on my extra firewall vms -- by adding a rule rather than removing one. Could you try on the appropriate firewall vm:
iptables -D FORWARD 3 # where rule 3 should be the rule to drop all packets between the vif interfaces
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5eddbdaf-ca4e-cf63-b739-1229acc0f052%40micahflee.com.
For more options, visit https://groups.google.com/d/optout.
3n7r...@gmail.com
Sep 5, 2016, 10:22:12 PM9/5/16
to qubes-users, mi...@micahflee.com
On Monday, September 5, 2016 at 10:23:42 PM UTC, Daniel Wilcox wrote:
> Hi Micah, you're taking the opposite the usual strategy I do on my extra firewall vms -- by adding a rule rather than removing one. Could you try on the appropriate firewall vm:
>
> iptables -D FORWARD 3 # where rule 3 should be the rule to drop all packets between the vif interfaces
>
Before opening up your firewallVM, please narrow down the issue to either the firewallVM or dev_win10 by completely disabling Windows Firewall. It's questionable whether you're gaining any protection from Windows Firewall anyway (wrt Qubes philosophy).
> Hi Micah, you're taking the opposite the usual strategy I do on my extra firewall vms -- by adding a rule rather than removing one. Could you try on the appropriate firewall vm:
>
> iptables -D FORWARD 3 # where rule 3 should be the rule to drop all packets between the vif interfaces
>
Go to Control Panel > Windows Firewall > Turn Windows Firewall on or off:
First, confirm that `Block all incoming connections` is unchecked! As a paranoid user, you might have set this and then forgotten.
Then, `Turn off Windows Firewall` for *both* profiles. No reboot. Initiate RDP session from dev.
> This should be equivalent to what you're doing but might be worth a check. Also I'm sure you've noticed whenever the firewall vm has a change to its rules, it'll reload and we have to re-execute this (anyone have ideas for that btw?).
(see "qubes-firewall-user-script")
Reply all
Reply to author
Forward
0 new messages