Re: [qubes-users] Port Forward in qubes-OS.
Hello friends! Pls, help me :( I need to configure port forwarding to Kali linux VM via sys-net ---> sys-firewall ---> sys-whonix ---> VPN-VM ---> KaliVM to use meterpreter and apache2 on my Kali linux VM. At first I tried to use scripts: https://gist.github.com/jpouellet/d8cd0eb8589a5b9bf0c53a28fc530369 https://gist.github.com/Joeviocoe/6c4dc0c283f6d6c5b1a3f5af8793292b https://github.com/niccokunzmann/qvm-expose-port I transferred them to the dom0 machine in the / usr / local / bin / folder I tried to run these scripts, but ports 443, 8080, 80 do not work on Kali linux VM. Then i tried to do it manually https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world [user@sys-net ~]$ ifconfig | grep -i cast ens6: flags=4099 mtu 1500 ens5f0u1: flags=4163 mtu 1500 inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255 vif3.0: flags=4163 mtu 1500 inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0 wls7: flags=4099 mtu 1500 [user@sys-net ~]$ ifconfig | grep -i cast ens6: flags=4099 mtu 1500 ens5f0u1: flags=4163 mtu 1500 inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255 vif3.0: flags=4163 mtu 1500 inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0 wls7: flags=4099 mtu 1500 [user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.0.157 -j DNAT --to-destination 10.137.0.6 [user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT [user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.6 tcp dport 443 ct state new counter accept [user@sys-net ~]$ sudo iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 3 packets, 156 bytes) pkts bytes target prot opt in out source destination 15233 807K PR-QBS all -- * * 0.0.0.0/00.0.0.0/0 15220 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157tcp dpt:443 to:10.137.0.6 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1546 packets, 104K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * vif+0.0.0.0/00.0.0.0/0 3 156 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/0 30894 2067K MASQUERADE all -- * * 0.0.0.0/00.0.0.0/0 Chain PR-QBS (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- * * 0.0.0.0/010.139.1.1 udp dpt:53 to:10.139.1.1 0 0 DNAT tcp -- * * 0.0.0.0/010.139.1.1 tcp dpt:53 to:10.139.1.1 0 0 DNAT udp -- * * 0.0.0.0/010.139.1.2 udp dpt:53 to:10.139.1.2 0 0 DNAT tcp -- * * 0.0.0.0/010.139.1.2 tcp dpt:53 to:10.139.1.2 Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082 [user@sys-net ~]$ sudo iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- vif+ * 0.0.0.0/00.0.0.0/0 tcp dpt:8082 0 0 DROP udp -- vif+ * 0.0.0.0/00.0.0.0/0 udp dpt:68 44760 4252K ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- vif+ * 0.0.0.0/00.0.0.0/0 3 156 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 REJECT all -- vif+ * 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited 62 2480 DROP all -- * * 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 660K 438M ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
Re: [qubes-users] Port Forward in qubes-OS.
Packets are not transmitted after I added port 80 and 8080 to sys-net. [user@sys-net ~]$ sudo iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 15234 807K PR-QBS all -- * * 0.0.0.0/00.0.0.0/0 15221 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157tcp dpt:443 to:10.137.0.6 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157tcp dpt:80 to:10.137.0.6 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157tcp dpt:8080 to:10.137.0.6 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 70 packets, 4690 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * vif+0.0.0.0/00.0.0.0/0 3 156 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/0 32702 2189K MASQUERADE all -- * * 0.0.0.0/00.0.0.0/0 Chain PR-QBS (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- * * 0.0.0.0/010.139.1.1 udp dpt:53 to:10.139.1.1 0 0 DNAT tcp -- * * 0.0.0.0/010.139.1.1 tcp dpt:53 to:10.139.1.1 0 0 DNAT udp -- * * 0.0.0.0/010.139.1.2 udp dpt:53 to:10.139.1.2 0 0 DNAT tcp -- * * 0.0.0.0/010.139.1.2 tcp dpt:53 to:10.139.1.2 Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b836b2de-d402-45a0-92a7-3e77f8b0cdbe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Port Forward in qubes-OS.
I need to forward the port to Kali Vm in order to use meterpreter and apache2 on my KaliVM: sys-net ---> sys-firewall ---> sys-whonix ---> VPN ---> KaliVM. This can be done? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0d427742-0590-46ee-bbe0-135ee96029a4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Port Forward in qubes-OS.
What mistake do I make? - [user@sys-net ~]$ ifconfig | grep -i cast ens6: flags=4099 mtu 1500 ens5f0u1: flags=4163 mtu 1500 inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255 vif3.0: flags=4163 mtu 1500 inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0 wls7: flags=4099 mtu 1500 [user@sys-net ~]$ ifconfig | grep -i cast ens6: flags=4099 mtu 1500 ens5f0u1: flags=4163 mtu 1500 inet 192.168.0.157 netmask 255.255.255.0 broadcast 192.168.0.255 vif3.0: flags=4163 mtu 1500 inet 10.137.0.5 netmask 255.255.255.255 broadcast 0.0.0.0 wls7: flags=4099 mtu 1500 [user@sys-net ~]$ sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.0.157 -j DNAT --to-destination 10.137.0.6 [user@sys-net ~]$ sudo iptables -I FORWARD 2 -i eth0 -d 10.137.1.6 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT ^ [user@sys-net ~]$ sudo nft add rule ip qubes-firewall forward meta iifname eth0 ip daddr 10.137.0.6 tcp dport 443 ct state new counter accept [user@sys-net ~]$ sudo iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 3 packets, 156 bytes) pkts bytes target prot opt in out source destination 15233 807K PR-QBS all -- * * 0.0.0.0/00.0.0.0/0 15220 806K PR-QBS-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 192.168.0.157tcp dpt:443 to:10.137.0.6 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1546 packets, 104K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * vif+0.0.0.0/00.0.0.0/0 3 156 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/0 30894 2067K MASQUERADE all -- * * 0.0.0.0/00.0.0.0/0 Chain PR-QBS (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- * * 0.0.0.0/010.139.1.1 udp dpt:53 to:10.139.1.1 0 0 DNAT tcp -- * * 0.0.0.0/010.139.1.1 tcp dpt:53 to:10.139.1.1 0 0 DNAT udp -- * * 0.0.0.0/010.139.1.2 udp dpt:53 to:10.139.1.2 0 0 DNAT tcp -- * * 0.0.0.0/010.139.1.2 tcp dpt:53 to:10.139.1.2 Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- vif+ * 0.0.0.0/0 10.137.255.254 tcp dpt:8082 [user@sys-net ~]$ sudo iptables -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- vif+ * 0.0.0.0/00.0.0.0/0 tcp dpt:8082 0 0 DROP udp -- vif+ * 0.0.0.0/00.0.0.0/0 udp dpt:68 44760 4252K ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- vif+ * 0.0.0.0/00.0.0.0/0 3 156 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 0 0 REJECT all -- vif+ * 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited 62 2480 DROP all -- * * 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 660K 438M ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/010.137.1.6 tcp dpt:443 ctstate NEW 163 8531 QBS-FORWARD all -- * * 0.0.0.0/00.0.0.0/0 0 0 DROP all -- vif+ vif+0.0.0.0/00.0.0.0/0 163 8531 ACCEPT all -- vif+ * 0.0.0.0/00.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT 3220 packets, 216K bytes) pkts bytes target prot opt in out source destination Chain QBS-FORWARD (1 references) pkts bytes target prot opt in out source destination [user@sys-net ~]$ sudo nft list table ip
Re: [qubes-users] Port Forward in qubes-OS.
On 20181225 at 00:25 -0800 menoldst...@gmail.com wrote: > Permission denied (you must be root) Sometimes a closer look at the error mesage solves the riddle. Achim -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4e1bb1c4675aa2a607af4e23d27dc01f4b720f92.camel%40noses.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Port Forward in qubes-OS.
вторник, 25 декабря 2018 г., 5:26:04 UTC+3 пользователь unman написал: > On Mon, Dec 24, 2018 at 06:08:27AM -0800, menoldst...@gmail.com wrote: > > Hello. Qubes-users. I installed Kali linux and now I need to make it so > > that apache2 would work not only on the local network, but also on the > > Internet. I need to do port forwarding ?? If so, can anyone tell me how to > > do this? > > > > Have you looked at the docs? > https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world Thank you. What needs to be done to upgrade? [user@sys-net ~]$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.0.151 -j DNAT --to-destination 10.137.0.4 iptables v1.6.1: can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d3adcc9-c04d-4077-83d9-510f4657fb2d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Port Forward in qubes-OS.
On Mon, Dec 24, 2018 at 06:08:27AM -0800, menoldst...@gmail.com wrote: > Hello. Qubes-users. I installed Kali linux and now I need to make it so that > apache2 would work not only on the local network, but also on the Internet. I > need to do port forwarding ?? If so, can anyone tell me how to do this? > Have you looked at the docs? https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181225022601.feprsilz6n6ctrhq%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Port Forward in qubes-OS.
Hello. Qubes-users. I installed Kali linux and now I need to make it so that apache2 would work not only on the local network, but also on the Internet. I need to do port forwarding ?? If so, can anyone tell me how to do this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d391c686-20d7-48c6-a390-7787b6e35af5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.