 |
Title: Script NAT on Qubes OS |
|
Author: Solène |
|
Date: 06 March 2024 |
|
Tags: qubesos unix network |
|
Description: In this article, I'm sharing a script I wrote to easily |
|
expose a given network port of a qube to the local network |
|
|
|
# Introduction |
|
|
|
As a daily Qubes OS user, I often feel the need to expose a port of a |
|
given qube to my local network. However, the process is quite painful |
|
because it requires doing the NAT rules on each layer (usually net-vm |
|
=> sys-firewall => qube), it's a lost of wasted time. |
|
|
|
I wrote a simple script that should be used from dom0 that does all the |
|
job: opening the ports on the qube, and for each NetVM, open and |
|
redirect the ports. |
|
|
 |
Qubes OS Nat git repository |
|
|
|
# Usage |
|
|
|
It's quite simple to use, the hardest part will be to remember how to |
|
copy it to dom0 (download it in a qube and use `qvm-run --pass-io` from |
|
dom0 to retrieve it). |
|
|
|
Make the script executable with `chmod +x nat.sh`, now if you want to |
|
redirect the port 443 of a qube, you can run `./nat.sh qube 443 tcp`. |
|
That's all. |
|
|
|
Be careful, the changes ARE NOT persistent. This is on purpose, if you |
|
want to always expose ports of a qube to your network, you should |
|
script its netvm accordingly. |
|
|
|
# Limitations |
|
|
|
The script is not altering the firewall rules handled by |
|
`qvm-firewall`, it only opens the ports and redirect them (this happens |
|
at a different level). This can be cumbersome for some users, but I |
|
decided to not touch rules that are hard-coded by users in order to not |
|
break any expectations. |
|
|
|
Running the script should not break anything. It works for me, but it |
|
was only slightly tested though. |
|
|
|
# Some useful ports |
|
|
|
## Avahi daemon port |
|
|
|
The avahi daemon uses the UDP port 5353. You need this port to |
|
discover devices on a network. This can be particularly useful to find |
|
network printers or scanners and use them in a dedicated qube. |
|
|
|
# Evolutions |
|
|
|
It could be possible to use this script in qubes-rpc, this would allow |
|
any qube to ask for a port forwarding. I was going to write it this |
|
way at first, but then I thought it may be a bad idea to allow a qube |
|
to run a dom0 script as root that requires reading some untrusted |
|
inputs, but your mileage may vary. |
