qubes-firewall-user-script seems not to work

[evo]

Hey!

i've written some rules to /rw/config/qubes-firewall-user-script and
made it "sudo chmod +x /rw/config/qubes-firewall-user-script" but still
have the problem with some connections i posted there.

I made it in the VM, i use in that case.

Here is one of the rules:
iptables -I FORWARD -s (the IP of the VM i use) -d (the IP of the
website with x.0.0.0/8) -p tcp --dport 443 -j ACCEPT

some ideas?

[Chris Laprise]

Does the rule show up when you 'iptables -L'? If so, that would indicate
the script is working. Also, you can add a line like 'touch
/rw/config/TEST' to see if the script is working.



--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett

[evo]

i've testet it on the Firewall-VM and i can see just the first rule i
wrote, the others are not there.

[Chris Laprise]

Seems to be a problem with iptables syntax. You can try running the
script manually to see if any errors are printed.

[evo]

with sudo sh qubes-firewall-user-script comes nothing .. so it seems to
have no problems..

strange the lines were just copied from the first line, but just the
first line is activated.

[Chris Laprise]

Adding '-vv' to the commands will make them verbose.

[evo]

with -vv it shows me the whole script in terminal.. without problems.

hmm... wait... do i need "iptables -I" just one time at the beginning?
i think this is the mistake. i have it before every line.

[Unman]

Each line is evaluated separately, so you need the full command on each
line.

There's nothing wrong with the line you quoted.
Post another line - one that you think isn't implemented, or better
still the whole of the file.

unman

[evo]

i looked after this rule and the thing was, it was listed also in the
standard firewall-settings on the GUI. So no rule works in the script.

[Unman]

So post the lines that arent working

[evo]

iptables -I FORWARD -s 10.137.x.x -d x.0.0.0/8 -p tcp --dport 443 -j ACCEPT

iptables -I FORWARD -s 10.137.x.x -d x.0.0.0/8 -p tcp --dport 80 -j ACCEPT

and so on.

the source IP is always the same, because it goes from the same VM, the
dest.IP is in the upper case the same too, because it should give the
443 and 80 on the same website.

can this be a problem, the same dest.IPs and different ports with two
entries? must i write it in one entry with two ports? if yes then, how?

[Unman]

Those are fine, and both work exactly as expected in
qubes-firewall-user-script.

What template are you using?

Just to be absolutely sure, you are using these in
qubes-firewall-user-script on the firewall, and you are triggering the
change by connecting a qube to the firewall? Yes?

What happens if you simply run the script?
/rw/config/qubes-firewall-user-script

On combining you can use multi-ports, like this:
iptables -I FORWARD -m multiport -p tcp --dports 80,443 -j ACCEPT
You can use up to 15 ports, and include ranges, like 20:25 - that covers
6 ports but only counts as 2 toward the limit.

[evo]

debian 8 is the template

oh.. i think, i understand the problem :D
i used the script on the App-VM and not on the FW-VM.

so the problem is clear now.. sometimes these are just simple things.

multiport is a good option
thanks and good night!