On Tuesday, March 17, 2020 at 9:25:27 PM UTC-5, unman wrote: > > On Tue, Mar 17, 2020 at 12:13:57PM -0700, arthur...@gmail.com > <javascript:> wrote: > > > > > > The command you listed: > > iifname "vif*" oifname "vif*" accept > > > > Is that a proper iptables rule, or are there placeholders in there that > I > > need to change specific to my system? Since iptables syntax is rather > > unclear to me, I want to be sure before I go running things in my > > sys-firewall. Shouldn't it be something like this? > > sudo iptables -A FORWARD -i "vif*" -o "vif*" -j ACCEPT > > > > Then, in each one of my client qubes, I would run something like this: > > sudo iptables -I INPUT -i "vif*" -j ACCEPT > > > > Sorry Arthur, that's nftables syntax. > For iptables, you would want: > `sudo iptables -I FORWARD -i "vif*" -o "vif*" -j ACCEPT` > because you want that rule to PRECEDE the existing one that blocks > traffic. > > For nftables I would rewrite the FORWARD chain and atomically rewrite it > at > sys-firewall startup. > You can do this by using the scripts in /rw/config. >
For posterity sake, this is what worked (please correct me if I'm adding something that is incorrect or potentially dangerous). On sys-firewall, I added this: sudo iptables -I FORWARD 2 -s 10.137.0.0/24 -d 10.137.0.0/24 -j ACCEPT Then, on each qube I want to allow network access, I added this: sudo iptables -I INPUT -s 10.137.0.0/24 -j ACCEPT It seems to work just fine. Thanks for your help, unman! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/21354887-3ae3-4d4d-af94-1a4ad9cf5d31%40googlegroups.com.
