Port Forward in qubes-OS.

96 views
Skip to first unread message

menol...@gmail.com

unread,
Dec 24, 2018, 9:08:27 AM12/24/18
to qubes-users
Hello. Qubes-users. I installed Kali linux and now I need to make it so that apache2 would work not only on the local network, but also on the Internet. I need to do port forwarding ?? If so, can anyone tell me how to do this?

unman

unread,
Dec 24, 2018, 9:26:04 PM12/24/18
to qubes-users, L...@thirdeyesecurity.org
On Mon, Dec 24, 2018 at 06:08:27AM -0800, menol...@gmail.com wrote:
> Hello. Qubes-users. I installed Kali linux and now I need to make it so that apache2 would work not only on the local network, but also on the Internet. I need to do port forwarding ?? If so, can anyone tell me how to do this?
>

Have you looked at the docs?
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
Message has been deleted

Achim Patzner

unread,
Dec 25, 2018, 4:47:28 AM12/25/18
to qubes...@googlegroups.com
On 20181225 at 00:25 -0800 menol...@gmail.com wrote:
> Permission denied (you must be root)

Sometimes a closer look at the error mesage solves the riddle.


Achim


Message has been deleted
Message has been deleted
Message has been deleted

menol...@gmail.com

unread,
Dec 25, 2018, 9:59:06 AM12/25/18
to qubes-users
Hello friends! Pls, help me :(
I need to configure port forwarding to Kali linux VM via sys-net ---> sys-firewall ---> sys-whonix ---> VPN-VM ---> KaliVM to use meterpreter and apache2 on my Kali linux VM. At first I tried to use scripts:
https://gist.github.com/jpouellet/d8cd0eb8589a5b9bf0c53a28fc530369
https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
https://github.com/niccokunzmann/qvm-expose-port
I transferred them to the dom0 machine in the / usr / local / bin / folder
I tried to run these scripts, but ports 443, 8080, 80 do not work on Kali linux VM.
Then i tried to do it manually
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
[user@sys-net ~]$ ifconfig | grep -i cast
ens6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ens5f0u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255
vif3.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0
wls7: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500


[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.0.157 -j DNAT --to-destination 10.137.0.6

[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT

[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.6 tcp dport 443 ct state new counter accept

[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 3 packets, 156 bytes)
pkts bytes target prot opt in out source destination
15233 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15220 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:443 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1546 packets, 104K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
30894 2067K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1 udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1 tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2 udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2 tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
44760 4252K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ * 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- vif+ * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
62 2480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
660K 438M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6 tcp dpt:443 ctstate NEW
163 8531 QBS-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
163 8531 ACCEPT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3220 packets, 216K bytes)
pkts bytes target prot opt in out source destination

Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
[user@sys-net ~]$ nft list table ip qubes-firewall
internal:0:0-0: Error: Could not receive tables from kernel: Operation not permitted

[user@sys-net ~]$ sudo nft list table ip qubes-firewall
table ip qubes-firewall {
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
ip saddr 10.137.0.6 jump qbs-10-137-0-6
iifname "eth0" ip daddr 10.137.0.6 tcp dport https ct state new counter packets 0 bytes 0 accept
}

chain qbs-10-137-0-6 {
accept
drop
}
}
[user@sys-net ~]$ telnet 192.168.0.157 443
bash: telnet: command not found...
^[[AInstall package 'telnet' to provide command 'telnet'? [N/y] n


Then I did the same on the sys-firewall instructions:

[user@sys-firewall ~]$ ifconfig | grep -i cast
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 10.255.255.255
vif4.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0
vif5.0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0
vif6.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.0.6 netmask 255.255.255.255 broadcast 0.0.0.0

[user@sys-firewall ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 10.137.0.6 -j DNAT --to-destination 10.137.0.23
[user@sys-firewall ~]$ sudo iptables -I FORWARD 2 -i eth0 -s 192.168.0.1/24 -d 10.137.0.23 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
[user@sys-firewall ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.0.1/24 ip daddr 10.137.0.23 tcp dport 443 ct state new counter accept
[user@sys-firewall ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
2363 133K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
2354 132K PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.137.0.6 tcp dpt:443 to:10.137.0.23

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2262 117K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1 udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1 tcp dpt:53 to:10.139.1.1
9 625 DNAT udp -- * * 0.0.0.0/0 10.139.1.2 udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2 tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination


Then I wanted to install ports 80 and 8080, and did it for sys-net, but now the packets are not transmitted to the sys-firewall. I'm stuck on this issue:

[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.157 -j DNAT --to-destination 10.137.0.6
^[[A[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 192.168.0.157 -j DNAT --to-destination 10.137.0.6
Bad argument `192.168.0.157'
Try `iptables -h' or 'iptables --help' for more information.
[user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -d 192.168.0.157 -j DNAT --to-destination 10.137.0.6
[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
[user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp --dport 8080 -m conntrack --ctstate NEW -j ACCEPT
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.6 tcp dport 80 ct state new counter accept
[user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.6 tcp dport 8080 ct state new counter accept
[user@sys-net ~]$ iptables -t nat -L -v -n
iptables v1.6.1: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
[user@sys-net ~]$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
46258 4394K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ * 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- vif+ * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
62 2480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
708K 456M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6 tcp dpt:8080 ctstate NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6 tcp dpt:80 ctstate NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.137.1.6 tcp dpt:443 ctstate NEW
164 8583 QBS-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
164 8583 ACCEPT all -- vif+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 36 packets, 2412 bytes)
pkts bytes target prot opt in out source destination

Chain QBS-FORWARD (1 references)
pkts bytes target prot opt in out source destination
[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15234 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15221 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:443 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:80 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:8080 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 52 packets, 3484 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
32684 2187K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1 udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1 tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2 udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2 tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082

[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15234 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15221 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:443 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:80 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:8080 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 70 packets, 4690 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
32702 2189K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1 udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1 tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2 udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2 tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082

[user@sys-net ~]$ sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15234 807K PR-QBS all -- * * 0.0.0.0/0 0.0.0.0/0
15221 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:443 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:80 to:10.137.0.6
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157 tcp dpt:8080 to:10.137.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 94 packets, 6298 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * vif+ 0.0.0.0/0 0.0.0.0/0
3 156 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
32726 2190K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PR-QBS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.1 udp dpt:53 to:10.139.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.1 tcp dpt:53 to:10.139.1.1
0 0 DNAT udp -- * * 0.0.0.0/0 10.139.1.2 udp dpt:53 to:10.139.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 10.139.1.2 tcp dpt:53 to:10.139.1.2

Chain PR-QBS-SERVICES (1 references)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082

Even if it starts to work, do I need to do the same for sys-whonix and VPN-VM?

(I use VPN using this technology https://github.com/tasket/Qubes-vpn-support)

Please put me on the right track. Thank!

P.S: Sorry my bad english :(

Reply all
Reply to author
Forward
0 new messages