Re: [qubes-users] Trouble with enabling networking between two Vms
Hi Max, so it looks like you started getting complicated quick. I think your first attempt should be fine actually, with one modification. 1) insert a rule at the top of the forwarding table (above 3) accepting connections between the two, as you did 2) try an 'arping' command between the two and you'll probably see no response -- in which case, turn on 'proxy_arp' for each of the interfaces in question in the firewall: sysctl -w net/ipv4/conf/vifX.0/proxy_arp=1 <= where vifX.0 are the interfaces to the VMs you want to network Then if you do 'arping' it should return the broadcast MAC (fe:ff:ff:ff:ff:ff) and the firewall should route packets between your VMs. Hope that's helpful, cheers, =D On Sun, Oct 23, 2016 at 2:11 AM, Max wrote: > Hi, > > I am a new user of Qubes OS so apologies in advance if the question here > has been answered already in a separate topic (there are similar issues) > and I haven’t discovered this or it is not one suited to this mailing list. > I am running Qubes 3.2 and attempting to ping from one VM to another VM, > specifically from a Standalone Windows 7 VM to a Qubes VM based on the > Debian 8 template. > > All my VM’s were initially connected in the default manner i.e. to a > sys-firewall and through to the sys-net VM, both of which are Fedora 23. > There are no firewall rules on these VMs restricting which IP addresses can > be accessed. > > Current status: > - I am able to ping from my Windows 7 VM (10.137.2.19) to the Firewall VM > (10.137.1.8) using the IP address visible in the VM Manager > > - I am unable to ping the Debian 8 VM (10.137.2.18) from my Windows VM. > > Steps taken: > 1) I followed the instructions here (https://www.qubes-os.org/doc/ > qubes-firewall/#enabling-networking-between-two-vms) and in the firewall > VM’s terminal enter the following iptables rule... > > sudo iptables -I FORWARD 2 -s -d of Debian 8 VM> -j ACCEPT > > … In VM B’s terminal (Debian 8) I entered the following iptables rule... > > sudo iptables -I INPUT -s -j ACCEPT > > ...but from here when using the ping function to my Debian 8 VM in the cmd > prompt in Windows, all packets were lost. > > 2) As this was not successful I attempted to see if I could connect to VMs > from an external machine and followed the instructions here > https://www.qubes-os.org/doc/qubes-firewall/#port- > forwarding-to-a-vm-from-the-outside-world. > > The Eth0 IP address (192.168.1.6) appeared to be what I should expose the > service to. > > I put the below rule in the sys-net VM’s Terminal... > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.x -j > DNAT --to-destination 10.137.1.x > > ...and this rule into the sys-firewall VM’s Terminal > > iptables -I FORWARD 2 -i eth0 -d 10.137.1.x -p tcp --dport 443 -m > conntrack --ctstate NEW -j ACCEPT > > But using ping or Telnet resulted in lost packets and failed to increase > the counters when using the iptables -t nat -L -v -n command in the > sys-firewall VM's terminal. > > 3) With this not being successful either I attempted to add a “sys-proxy” > VM as described here https://groups.google.com/ > forum/#!searchin/qubes-users/intervm%7Csort:relevance/ > qubes-users/lA2SgPcV9fU/U969uapYAAAJ and entered the following in the new > sys-proxy VM's terminal: > > iptables -I FORWARD 1 -i vif+ -o vif+ -s $intervm_internalnet/24 -d > $intervm_internalnet/24 -m state --state NEW -p tcp -m tcp -j ACCEPT > > iptables -I FORWARD 1 -i vif+ -o vif+ -s $intervm_internalnet/24 -d > $intervm_internalnet/24 -p udp -m udp -j ACCEPT > > After this, I was still unable to ping the Debian 8 VM from my Windows VM. > > Questions: > > 1) Are there any obvious errors in the steps I took and does anyone have > any suggestions how I can resolve this issue? > > 2) There are a number of other incidences of what seemed to be a similar > issue here: https://groups.google.com/forum/?nomobile=true#!msg/ > qubes-users/59kOjfQFBI4/bjS47-jJJgAJ, https://groups.google.com/ > forum/#!msg/qubes-users/vSyUaOSloYU/ONZNJlhrBAAJ. Are the enabling > networking between VMs steps described here still correct and applicable > for Qubes 3.2? > > 3) The IP address assignment suggests that the VMs are on the same network > – the Subnet Mask is 255.255.255.0 so surely any devices with an IP address > of 10.137.2.x would be able to communicate with each other? What is unique > in Xen / Qubes that stops this? > > 4) Is there a way in which the current routing rules can be displayed and > reset back to the default if required? > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/0514e15b-950e-4636-95f7-849fc5671fc1%40googlegroups.com. > For more options
Re: [qubes-users] Networking between Linux and Windows VMs
Hi Micah, you're taking the opposite the usual strategy I do on my extra firewall vms -- by adding a rule rather than removing one. Could you try on the appropriate firewall vm: iptables -D FORWARD 3 # where rule 3 should be the rule to drop all packets between the vif interfaces This should be equivalent to what you're doing but might be worth a check. Also I'm sure you've noticed whenever the firewall vm has a change to its rules, it'll reload and we have to re-execute this (anyone have ideas for that btw?). Two other things I just want to check you've remembered to do: - specifically *allow* forwarding to the vm ip block for each of the vms that need to communicate -- aka add 10.137.5.0/24 or whatever to the firewall rules of each vm - configure the host OS's input chain to allow connections in on the given port from any, or at least related and the other vm ip -- this one I have forgotten before on HVMs and been very confused lol... a whole OS...wat Hope that gives you some ideas. I take it you are also doing something like 'tcpdump -i vifX.0 icmp' to catch any icmp reject messages, if not that's a good idea too -- though mostly to see the reject messages from misconfigured forwarding. Cheers, =D anyone know how to do 'nc -l 9000' on windoze? that's always a handy test On Mon, Sep 5, 2016 at 3:04 PM, Micah Lee wrote: > On 09/05/2016 02:44 PM, Connor Page wrote: > > they should be connected to the same firewallvm, not netvm. iptables in > netvms are set up differently. > > They are connected to the same firewallvm. And I've successfully gotten > networking working between two Linux VMs using this firewallvm. It's > just not working with one of the VMs being a Windows HVM. > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/5eddbdaf-ca4e-cf63-b739-1229acc0f052%40micahflee.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAGq7KhoXzxCmre4rZZ_wV1KsLXmxv%3DX9FStOSu8dYihAUNxWww%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: VMs cannot start (Error, 0), eek... and fixed
Good question, I appear to have dismissed the messages already. It was
closest to what is the subject of the email, either 'vm cannot start' or
'cannot start vm', and then '(Error, 0)'. Hope that helps,
=D
On Wed, Aug 31, 2016 at 9:14 PM, Drew White wrote:
> On Thursday, 1 September 2016 07:44:59 UTC+10, Daniel Wilcox wrote:
> > Hello, I searched the archives and saw this has come up before regarding
> firewall rules.
> > https://github.com/QubesOS/qubes-issues/issues/1570
> >
> > I had half an email composed when I tried something and it unexpectedly
> worked.
> >
> > So for posterity I wanted to add is that it is possible that *no* VM
> will start if you have exceeded the maximum number of firewall rules on
> *any* VM.
> >
> > find /var/lib/qubes -name firewall.xml -exec wc -l '{}' \;
> > # found offending VMs with 38 - 40 lines (and hence 36-38 rules)
> >
> > On a side note, does anyone have great ideas for dealing with CDNs like
> Fastly? Which allocate the same host IP for a service, say
> pypi.python.org, in many /24s.
> >
> > Big phew! and cheers,
> >
> > =D
>
> What was the EXACT error message that showed up for you?
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/8afc01d9-f809-48ce-9a4a-56a186ba5138%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAGq7KhobsatzKFFpAXxYGDJHpRv7rJy0o50bkQNgzwtPZHv19Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] VMs cannot start (Error, 0), eek... and fixed
Hello, I searched the archives and saw this has come up before regarding
firewall rules.
https://github.com/QubesOS/qubes-issues/issues/1570
I had half an email composed when I tried something and it unexpectedly
worked.
So for posterity I wanted to add is that it is possible that *no* VM will
start if you have exceeded the maximum number of firewall rules on *any* VM.
find /var/lib/qubes -name firewall.xml -exec wc -l '{}' \;
# found offending VMs with 38 - 40 lines (and hence 36-38 rules)
On a side note, does anyone have great ideas for dealing with CDNs like
Fastly? Which allocate the same host IP for a service, say pypi.python.org,
in many /24s.
Big phew! and cheers,
=D
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAGq7KhoxoqSBTFWrWFJBGHWaKz%2BFY%3D2HDYvQehoberARh39iHg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
