Hi Unman and Daniel,
Thank you for your detailed and quick responses. I have attempted to follow the instructions but have had not much luck yet. Some responses first:
> 4) The firewall and routing rules can be displayed using standard Linux
> commands: iptables and ip route. (I'm not sure exactly what you are
> looking for with this question.) Any changes that you make to a qube
> will be reset on reboot UNLESS you explicitly make changes in /rw/config
> using rc.local and the qubes-firewall script, or use some other
> mechanism.
Thanks - I have now rebooted so at least previous changes I have made will not affect the new commands I input.
> 3) qubes are connected through a netvm - the default firewall rules
> there prohibit traffic between qubes connected downstream: in the
> FORWARD chain is -
> DROP all vif+ vif+
Great, makes sense.
> The rules you have entered to allow forwarding are for traffic to port
> 443. You don't seem to have either ping (icmp) or telnet(tcp port 23)
> enabled.
I have held off now adding these. Ultimately, I don't need to connect externally. So I probably jumped ahead here and added extra complexity.
> 1. You haven't allowed return traffic from the Debian qube.
> Put in an ACCEPT FORWARD rule as you have with source and destination
> reversed.
I have now added this step after a reboot but no luck.
Below is a copy of the iptables lists with the before and after results:
BEFORE - FIREWALL
[user@sys-firewall ~]$ sudo iptables -L -vx
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- vif+ any anywhere anywhere udp dpt:bootpc
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- vif0.0 any anywhere anywhere
0 0 DROP all -- vif+ vif+ anywhere anywhere
0 0 ACCEPT udp -- any any 10.137.2.19 gateway udp dpt:domain
0 0 ACCEPT udp -- any any 10.137.2.19 10.137.1.254 udp dpt:domain
0 0 ACCEPT tcp -- any any 10.137.2.19 gateway tcp dpt:domain
0 0 ACCEPT tcp -- any any 10.137.2.19 10.137.1.254 tcp dpt:domain
0 0 ACCEPT icmp -- any any 10.137.2.19 anywhere
0 0 DROP tcp -- any any 10.137.2.19 10.137.255.254 tcp dpt:us-cli
0 0 ACCEPT all -- any any 10.137.2.19 anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
AFTER - FIREWALL
[user@sys-firewall ~]$ sudo iptables -L -vx
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- vif+ any anywhere anywhere udp dpt:bootpc
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
116 9277 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any any 10.137.2.19 10.137.2.18
0 0 ACCEPT all -- vif0.0 any anywhere anywhere
0 0 DROP all -- vif+ vif+ anywhere anywhere
0 0 ACCEPT udp -- any any 10.137.2.19 gateway udp dpt:domain
0 0 ACCEPT udp -- any any 10.137.2.19 10.137.1.254 udp dpt:domain
0 0 ACCEPT tcp -- any any 10.137.2.19 gateway tcp dpt:domain
0 0 ACCEPT tcp -- any any 10.137.2.19 10.137.1.254 tcp dpt:domain
0 0 ACCEPT icmp -- any any 10.137.2.19 anywhere
0 0 DROP tcp -- any any 10.137.2.19 10.137.255.254 tcp dpt:us-cli
0 0 ACCEPT all -- any any 10.137.2.19 anywhere
8 536 ACCEPT udp -- any any 10.137.2.18 gateway udp dpt:domain
0 0 ACCEPT udp -- any any 10.137.2.18 10.137.1.254 udp dpt:domain
0 0 ACCEPT tcp -- any any 10.137.2.18 gateway tcp dpt:domain
0 0 ACCEPT tcp -- any any 10.137.2.18 10.137.1.254 tcp dpt:domain
0 0 ACCEPT icmp -- any any 10.137.2.18 anywhere
0 0 DROP tcp -- any any 10.137.2.18 10.137.255.254 tcp dpt:us-cli
16 1216 ACCEPT all -- any any 10.137.2.18 anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
BEFORE - DEBIAN 8 AppVM
user@work-apps:~$ sudo iptables -L -vx
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- vif+ any anywhere anywhere udp dpt:bootpc
49 3688 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ any anywhere anywhere
1 52 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- vif+ any anywhere anywhere reject-with icmp-host-prohibited
16 2678 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DROP all -- vif+ vif+ anywhere anywhere
0 0 ACCEPT all -- vif+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 71 packets, 6762 bytes)
pkts bytes target prot opt in out source destination
AFTER - DEBIAN 8 AppVM
user@work-apps:~$ sudo iptables -L -vx
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 10.137.2.19 anywhere
0 0 DROP udp -- vif+ any anywhere anywhere udp dpt:bootpc
165 567437 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- vif+ any anywhere anywhere
1 52 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- vif+ any anywhere anywhere reject-with icmp-host-prohibited
21 3043 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- any any 10.137.2.18 10.137.2.19
0 0 DROP all -- vif+ vif+ anywhere anywhere
0 0 ACCEPT all -- vif+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
I have only started the relevant VMs to keep it as simple as possible and I have also provided the Kernel IP routing tables in case the virtual interface assignment is related to these rules:
[user@sys-firewall ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.137.1.1 0.0.0.0 UG 0 0 0 eth0
10.137.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.137.2.18 0.0.0.0 255.255.255.255 UH 32744 0 0 vif8.0
10.137.2.19 0.0.0.0 255.255.255.255 UH 32746 0 0 vif6.0
I used the above vif numbers for the instructions from Daniel which I did for a previous attempt to fix my inter-VM networking (sysctl -w net/ipv4/conf/vifX.0/proxy_arp=1 <= where vifX.0 are the interfaces to the VMs you want to network) and succeeded in identifying a broadcast mac but this didn't allow successful pinging from Windows 7 to the Debian 8 VM by itself. Was there a further step I was missing?
I have read up on iptables configuration to see if I can understand this further but I can't see what I am doing incorrectly. My firewall rules seem quite encompassing i.e. the input rule 2 allows any protocol and states it will accept data from the IP address of my Windows VM and send this onto the Debian AppVM. I presume that the order of rules should influence the routing and this would not base this off packets of data that match more criteria in the table?
Thanks again and apologies if I am requiring baby steps here.