-
-
Save daktak/f887352d564b54f9e529404cc0eb60d5 to your computer and use it in GitHub Desktop.
#!/bin/sh | |
#4.0 | |
#ip() { qvm-ls --raw-data ip -- "$1"; } | |
##4.1 | |
ip() { qvm-ls --raw-data --fields ip -- "$1"; } | |
netvm() { qvm-prefs -g -- "$1" netvm; } | |
forward() { | |
local from_domain=$1 | |
local to_domain=$2 | |
local port=$3 | |
local type=$4 | |
local from_ip=$(ip "$from_domain") | |
local to_ip=$(ip "$to_domain") | |
iface=$(qvm-run -p -u root "$from_domain" "ifconfig \ | |
| grep cast -B 1 --no-group-separator | grep -vE '^(vif|lo)' | grep -oE '^[^: ]+' | head -1") | |
[ X"$from_ip" = XNone ] && from_ip= | |
echo "$from_domain: forwarding on $iface port $port to $to_domain | |
($from_ip -> $to_ip)" >&2 | |
qvm-run -p -u root "$from_domain" \ | |
"iptables -t nat -A PREROUTING -i $iface -p $type \ | |
--dport $port ${from_ip:+-d} $from_ip \ | |
-j DNAT --to-destination $to_ip" | |
qvm-run -p -u root "$from_domain" \ | |
"iptables -I FORWARD 2 -i $iface ${to_ip:+-d} $to_ip \ | |
-p $type --dport $port -m conntrack --ctstate NEW -j ACCEPT" | |
} | |
input() { | |
local domain=$1 | |
local port=$2 | |
local type=$3 | |
echo "$domain: allowing input to port $port" >&2 | |
qvm-run -p -u root "$domain" "iptables -I INPUT 5 -p $type \ | |
--dport $port -m conntrack --ctstate NEW -j ACCEPT" | |
} | |
recurse_netvms() { | |
local this_dom=$1 | |
local port=$2 | |
local type=$3 | |
local outer_dom=$(netvm "$this_dom") | |
if [ -n "$outer_dom" ]; then | |
forward "$outer_dom" "$this_dom" "$port" "$type" | |
recurse_netvms "$outer_dom" "$port" "$type" | |
fi | |
} | |
usage() { | |
echo "Usage: ${0##*/} <vm> <port>" >&2 | |
exit 1 | |
} | |
[ $# -eq 2 ] || [ $# -eq 3 ] || usage | |
type=$3 | |
if [ -z ${type} ]; then | |
type=$type | |
fi | |
input "$1" "$2" ${type} | |
recurse_netvms "$1" "$2" ${type} |
Created an updated version for Qubes 4.0 (RC4 tested) Joeviocoe's qvm-portfwd
qvm-portfwd <vm> <port> <proto> | <vm> clear all
Example: qvm-portfwd webserv 8888 tcp
Command line specify the "VM, Port and Protocol"... or just "VM clear all" to undo previous.
Script will recursively configure iptables/nft for all proxyVMs in use.
Now uses comments on iptables to remove previous entries (no duplicates)
Works with Fedora 25/26 which uses nft rules along with iptables
Works with Debian 8/9 too
Now, I also created a script:
https://github.com/niccokunzmann/qvm-expose-port
When I was reading the documentation, I could not find that such a command exists.
I was wondering if we can join forces to create an official qubes command QubesOS/qubes-issues#4028.
What do you think?
Its a good idea to get it integrated into qubes, but @niccokunzmann's script doesn't work in qubes4, so maybe joeviocoe's should be used instead?
https://gist.github.com/Joeviocoe/90ec9fd9a0769b4671a8ae9c87584187 this one is good for tcp
https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248 - this works with R4.1
Thank you so much, I was not aware of the raw or qvm-prefs.
I've made some small updates and invoke like
qvm-port-forward.sh personal 1714:1764
qvm-port-forward.sh personal 1714:1764 udp
for kde connect
Updated the iface grep to look for broadcast as I'm on wifi most of the time, not enp0s0