Qube R4: Portforwarding (for torrent)

[anarcomnor]

Hello dear qubers!

I've been following this guide on how to open a port to the outside world with the intention of allowing Transmission to connect, but I'm struggling. Transmission does not find any peers and testing the port says it's closed. I've been following the guide very carefully and done the commands with both tcp and udp protocols. The port has been opened in the router.

One thing I've been somewhat confused about is which interface I should use when entering the commands. The examples always use eth0, but in my case the physical NIC is called wls7 (even though it actually sometimes changes to wls6, which doesn't make it easier, but let's just say it's wls7).

As far as I understand wls7 is only used when applying rules in sys-net since it is only VM that can actually connect to it, so I'm hoping that's correct.

I've tried switching things around, hoping to more or less stumble on a configuration that works, but nothing seems to. Now I'm somewhat worried that there are rules in place that might be conflicting and that this might actually be the cause of my issue now.

The way it's set up is I have a qube called Transmission connecting to sys-firewall which again connects to sys-net.

Can anyone help me out here?

[anarcomnor]

These are settings I've used:

sys-net:

route traffic from outside to sys-firewall

sudo iptables -t nat -A PREROUTING -i wls7 -p tcp --dport 51413 -d 192.168.1.25 -j DNAT --to-destination 10.137.0.6

open firewall for traffic from sys-net

sudo iptables -I FORWARD 2 -i wls7 -d 10.137.0.6 -p tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT

sudo nft add rule ip qubes-firewall forward meta iifname wls7 ip daddr 10.137.0.6 tcp dport 51413 ct state new counter accept

sys-firewall:

route traffic from sys-net to sys-firewall

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 51413 -d 10.137.0.6 -j DNAT --to-destination 10.137.0.19

open traffic in firewall

sudo iptables -I FORWARD 2 -i eth0 -d 10.137.0.19 -p tcp --dport 51413 -m conntrack --ctstate NEW -j ACCEPT

sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip saddr 192.168.1.25/24 ip daddr 10.137.0.19 tcp dport 51413 ct state new counter accept

transmission-vm:

/rw/config/rc.local

######################

# My service filtering

# Create a new firewall filtering chain for my service

if iptables -w -N MY-HTTPS; then

# Add a filtering rule if it did not exit (to avoid cluter if script executed multiple times)

  iptables -w -A MY-HTTPS -j ACCEPT

fi

# If no input rule exists for my service

if ! iptables -w -n -L INPUT | grep --quiet MY-HTTPS; then

# add a forward rule for the traffic (same reason)

  iptables -w -I INPUT 5 -d 10.137.0.6 -p udp --dport 51413 -m conntrack --ctstate NEW -j MY-HTTPS

  iptables -w -I INPUT 5 -d 10.137.0.6 -p tcp --dport 51413 -m conntrack --ctstate NEW -j MY-HTTPS

fi

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

[lik...@gmx.de]

On 2019-10-24 16:49, 'anarcomnor' via qubes-users wrote:
> Hello dear qubers!
>

> I've been following this <https://qubes-os.org/doc/firewall> guide on how to open a port to the outside world with the intention of allowing Transmission to connect, but I'm struggling. Transmission does not find any peers and testing the port says it's closed. I've been following the guide very carefully and done the commands with both tcp and udp protocols. The port has been opened in the router.

I found this script very useful:
https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b

[anarcomnor]

Thanks. I'm trying to use it, but I get permission denied for some reason when trying to copy it to dom0 even though I use the appropriate qvm-run --pass-io command... sudo doesn't help.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

> ------------------------------------------------------------------------------------------------------
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eaa72f4d-59da-e729-856c-88d2e78d33b2%40gmx.de.

[anarcomnor]

I eventually managed to copy the script over to dom0 and run it, but it still doesn't work. The tracker gives the error message "Connection failed" or that "the requested download is not authorized" which doesn't make any sense. All I'm trying to do is download an iso from their official page on their own tracker.

Maybe this means I hadn't done it wrong myself after all and that there may be some other problem - or - it could be that all my previous attempts have caused an issue.

I would greatly appreciate any help on this!

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Friday, October 25, 2019 4:29 PM, anarcomnor <anarc...@protonmail.com> wrote:

> Thanks. I'm trying to use it, but I get permission denied for some reason when trying to copy it to dom0 even though I use the appropriate qvm-run --pass-io command... sudo doesn't help.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, October 24, 2019 10:07 PM, lik...@gmx.de wrote:
>
> > On 2019-10-24 16:49, 'anarcomnor' via qubes-users wrote:
> >
> > > Hello dear qubers!
> > > I've been following this https://qubes-os.org/doc/firewall guide on how to open a port to the outside world with the intention of allowing Transmission to connect, but I'm struggling. Transmission does not find any peers and testing the port says it's closed. I've been following the guide very carefully and done the commands with both tcp and udp protocols. The port has been opened in the router.
> > > One thing I've been somewhat confused about is which interface I should use when entering the commands. The examples always use eth0, but in my case the physical NIC is called wls7 (even though it actually sometimes changes to wls6, which doesn't make it easier, but let's just say it's wls7).
> > > As far as I understand wls7 is only used when applying rules in sys-net since it is only VM that can actually connect to it, so I'm hoping that's correct.
> > > I've tried switching things around, hoping to more or less stumble on a configuration that works, but nothing seems to. Now I'm somewhat worried that there are rules in place that might be conflicting and that this might actually be the cause of my issue now.
> > > The way it's set up is I have a qube called Transmission connecting to sys-firewall which again connects to sys-net.
> > > Can anyone help me out here?
> >
> > I found this script very useful:
> > https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
> >

[anarcomnor]

Thanks. I'm trying to use it, but I get permission denied for some reason when trying to copy it to dom0 even though I use the appropriate qvm-run --pass-io command... sudo doesn't help.



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, October 24, 2019 10:07 PM, <lik...@gmx.de> wrote:

> ------------------------------------------------------------------------------------------------------

[anarcomnor]

I eventually managed to copy the script over to dom0 and run it, but it still doesn't work. The tracker gives the error message "Connection failed" or that "the requested download is not authorized" which doesn't make any sense. All I'm trying to do is download an iso from their official page on their own tracker.

Maybe this means I hadn't done it wrong myself after all and that there may be some other problem - or - it could be that all my previous attempts have caused an issue.

I would greatly appreciate any help on this!

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Friday, October 25, 2019 4:29 PM, 'anarcomnor' via qubes-users <qubes...@googlegroups.com> wrote:

> Thanks. I'm trying to use it, but I get permission denied for some reason when trying to copy it to dom0 even though I use the appropriate qvm-run --pass-io command... sudo doesn't help.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, October 24, 2019 10:07 PM, lik...@gmx.de wrote:
>
> > On 2019-10-24 16:49, 'anarcomnor' via qubes-users wrote:
> >
> > > Hello dear qubers!
> > > I've been following this https://qubes-os.org/doc/firewall guide on how to open a port to the outside world with the intention of allowing Transmission to connect, but I'm struggling. Transmission does not find any peers and testing the port says it's closed. I've been following the guide very carefully and done the commands with both tcp and udp protocols. The port has been opened in the router.
> > > One thing I've been somewhat confused about is which interface I should use when entering the commands. The examples always use eth0, but in my case the physical NIC is called wls7 (even though it actually sometimes changes to wls6, which doesn't make it easier, but let's just say it's wls7).
> > > As far as I understand wls7 is only used when applying rules in sys-net since it is only VM that can actually connect to it, so I'm hoping that's correct.
> > > I've tried switching things around, hoping to more or less stumble on a configuration that works, but nothing seems to. Now I'm somewhat worried that there are rules in place that might be conflicting and that this might actually be the cause of my issue now.
> > > The way it's set up is I have a qube called Transmission connecting to sys-firewall which again connects to sys-net.
> > > Can anyone help me out here?
> >
> > I found this script very useful:
> > https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b
> >

> > You received this message because you are subscribed to the Google Groups "qubes-users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eaa72f4d-59da-e729-856c-88d2e78d33b2%40gmx.de.
>
> --
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0y2Ag4P1miOQbraFLnM7Rc3bOOGLTkOdaAdnVUTr7m2Cn_7Ru3RPVMJT51hDSgSY2_QFf73XcpevesALjmagJ3Rje8lfaeYwoMQtyCsMtOI%3D%40protonmail.com.