Joeviocoe · June 16, 2021 11:40 · Feb 11, 2018 · Feb 10, 2018 · Feb 10, 2018 · Feb 10, 2018
diff --git a/qvm-portfwd → qvm-portfwd-iptables b/qvm-portfwd → qvm-portfwd-iptables
diff --git a/qvm-portfwd b/qvm-portfwd
@@ -1,4 +1,7 @@
 #!/bin/sh
+# Inspired by https://gist.github.com/daktak/f887352d564b54f9e529404cc0eb60d5
+# Inspired by https://gist.github.com/jpouellet/d8cd0eb8589a5b9bf0c53a28fc530369
+
 ip() { qvm-prefs -g -- "$1" ip; }
 netvm() { qvm-prefs -g -- "$1" netvm; }
 

diff --git a/qvm-portfwd b/qvm-portfwd
@@ -21,7 +21,7 @@ forward() {
 		echo "$from_domain: Clearing Port Forwarding from $1 iptables" >&2
 		qvm-run -p -u root "$from_domain" "iptables-save | grep -v 'PortFwd $1' | iptables-restore"
 
-		local nft_cmd="nft list table ip qubes-firewall -a | tr -d '\"' | grep 'iifname ens5 accept # handle' | awk '{print \$NF}'"
+		local nft_cmd="nft list table ip qubes-firewall -a | tr -d '\"' | grep 'iifname $iface accept # handle' | awk '{print \$NF}'"
 		local nft_handle=$(qvm-run -p -u root "$from_domain" "$nft_cmd")
 		if [[ $nft_handle =~ ^[0-9]+$ ]] ; then qvm-run -p -u root "$from_domain" "nft delete rule ip qubes-firewall forward handle $nft_handle" ; fi
 	else

diff --git a/PortForward.sh → qvm-portfwd b/PortForward.sh → qvm-portfwd
diff --git a/PortForward.sh b/PortForward.sh
@@ -67,7 +67,7 @@ recurse_netvms() {
 }
 
 usage() {
-	echo "Usage: ${0##*/} <vm> <port>|clear all" >&2
+	echo "Usage: ${0##*/} <vm> <port> <proto> | <vm> clear all" >&2
 	exit 1
 }
 

diff --git a/PortForward.sh b/PortForward.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+ip() { qvm-prefs -g -- "$1" ip; }
+netvm() { qvm-prefs -g -- "$1" netvm; }
+
+forward() {
+	local from_domain=$1
+	local to_domain=$2
+	local port=$3
+	local type=$4
+
+	local from_ip=$(ip "$from_domain")
+	local to_ip=$(ip "$to_domain")
+	local iface=$(qvm-run -p -u root "$from_domain" "ifconfig \
+		| grep cast -B 1 --no-group-separator | grep -vE '^(vif|lo)' | grep -oE '^[^: ]+' | head -1")
+
+	local from_ip=$(qvm-run -p -u root "$from_domain" "hostname -I | cut -d ' ' -f 1")
+	if [ X"$from_ip" = XNone ] ; then local from_ip= ; fi
+
+	if [[ $3 = "clear" && $4 = "all" ]]
+	then
+		echo "$from_domain: Clearing Port Forwarding from $1 iptables" >&2
+		qvm-run -p -u root "$from_domain" "iptables-save | grep -v 'PortFwd $1' | iptables-restore"
+
+		local nft_cmd="nft list table ip qubes-firewall -a | tr -d '\"' | grep 'iifname ens5 accept # handle' | awk '{print \$NF}'"
+		local nft_handle=$(qvm-run -p -u root "$from_domain" "$nft_cmd")
+		if [[ $nft_handle =~ ^[0-9]+$ ]] ; then qvm-run -p -u root "$from_domain" "nft delete rule ip qubes-firewall forward handle $nft_handle" ; fi
+	else
+		echo "$from_domain: Forwarding on $iface port $port to $to_domain
+			($from_ip -> $to_ip)" >&2
+		qvm-run -p -u root "$from_domain" "iptables-save | grep -v 'PortFwd $1>$2:$4$3' | iptables-restore"
+		qvm-run -p -u root "$from_domain" "iptables -t nat -A PREROUTING -i $iface -p $type ${from_ip:+-d} $from_ip --dport $port -j DNAT --to-destination $to_ip \
+			-m comment --comment 'PortFwd $1>$2:$4$3'"
+		qvm-run -p -u root "$from_domain" "iptables -I FORWARD 2 -i $iface -p $type ${to_ip:+-d} $to_ip --dport $port -m conntrack --ctstate NEW -j ACCEPT \
+			-m comment --comment 'PortFwd $1>$2:$4$3'"
+		qvm-run -p -u root "$from_domain" "nft add rule ip qubes-firewall forward meta iifname $iface accept"
+	fi
+}
+
+input() {
+	local domain=$1
+	local port=$2
+	local type=$3
+
+	if [[ $2 = "clear" && $3 = "all" ]]
+	then
+		echo "$domain: Clearing Port Forwarding from $1 iptables" >&2
+		qvm-run -p -u root "$domain" "iptables-save | grep -v 'PortFwd $1' | iptables-restore"
+	else
+		echo "$domain: Allowing input to port $port" >&2
+		qvm-run -p -u root "$domain" "iptables-save | grep -v 'PortFwd $1:$3$2' | iptables-restore"
+
+		qvm-run -p -u root "$domain" "iptables -I INPUT 5 -p $type --dport $port -m conntrack --ctstate NEW -j ACCEPT \
+			-m comment --comment 'PortFwd $1:$3$2'"
+	fi
+}
+
+recurse_netvms() {
+	local this_dom=$1
+	local port=$2
+	local type=$3
+
+	local outer_dom=$(netvm "$this_dom")
+	if [[ -n "$outer_dom" && "$outer_dom" != "None" ]]; then
+		forward "$outer_dom" "$this_dom" "$port" "$type"
+		recurse_netvms "$outer_dom" "$port" "$type"
+	fi
+}
+
+usage() {
+	echo "Usage: ${0##*/} <vm> <port>|clear all" >&2
+	exit 1
+}
+
+[ $# -eq 3 ] || usage
+input "$1" "$2" "$3"
+recurse_netvms "$1" "$2" "$3"
diff --git a/qvm-exposeip.sh b/qvm-exposeip.sh
@@ -1,62 +0,0 @@
-#!/bin/sh
-ip() { qvm-ls --raw-data ip -- "$1"; }
-netvm() { qvm-prefs -g -- "$1" netvm; }
-
-forward() {
-	local from_domain=$1
-	local to_domain=$2
-	local port=$3
-	local type=$4
-
-	local from_ip=$(ip "$from_domain")
-	local to_ip=$(ip "$to_domain")
-	iface=$(qvm-run -p -u root "$from_domain" "ifconfig \
-		| grep cast -B 1 --no-group-separator | grep -vE '^(vif|lo)' | grep -oE '^[^: ]+' | head -1")
-
-	[ X"$from_ip" = XNone ] && from_ip=
-
-	echo "$from_domain: forwarding on $iface port $port to $to_domain
-		($from_ip -> $to_ip)" >&2
-	qvm-run -p -u root "$from_domain" \
-		"iptables -t nat -A PREROUTING -i $iface -p $type \
-		--dport $port ${from_ip:+-d} $from_ip \
-		-j DNAT --to-destination $to_ip"
-	qvm-run -p -u root "$from_domain" \
-		"iptables -I FORWARD 2 -i $iface ${to_ip:+-d} $to_ip \
-		-p $type --dport $port -m conntrack --ctstate NEW -j ACCEPT"
-}
-
-input() {
-	local domain=$1
-	local port=$2
-	local type=$3
-
-	echo "$domain: allowing input to port $port" >&2
-	qvm-run -p -u root "$domain" "iptables -I INPUT 5 -p $type \
-		--dport $port -m conntrack --ctstate NEW -j ACCEPT"
-}
-
-recurse_netvms() {
-	local this_dom=$1
-	local port=$2
-	local type=$3
-
-	local outer_dom=$(netvm "$this_dom")
-	if [ -n "$outer_dom" ]; then
-		forward "$outer_dom" "$this_dom" "$port" "$type"
-		recurse_netvms "$outer_dom" "$port" "$type"
-	fi
-}
-
-usage() {
-	echo "Usage: ${0##*/} <vm> <port>" >&2
-	exit 1
-}
-
-[ $# -eq 2 ] || [ $# -eq 3 ] || usage
-type=$3
-if [ -z ${type} ]; then
-  type=$type
-fi 
-input "$1" "$2" ${type}
-recurse_netvms "$1" "$2" ${type}

diff --git a/qvm-exposeip.sh b/qvm-exposeip.sh
@@ -1,50 +1,62 @@
-#!/bin/bash
-while getopts d:p:P:a:v:n:f option
-do
-    case "${option}"
-    in
-        d) dev=${OPTARG};;
-        p) ptype=${OPTARG};;
-        P) port=${OPTARG};;
-        a) appvm=${OPTARG};;
-        v) vpn=${OPTARG};;
-        n) net=${OPTARG};;
-        f) fw=${OPTARG};;
-    esac
-done
-if [ -z ${dev} ]; then
-    dev=wlp0s1
-fi
-externip=`qvm-run -p sys-net -u root "ifconfig ${dev}" | grep broadcast |col -x | awk '{print $2}'`
-if [ -z ${vpn} ]; then
-    vpn=workVPN
-fi
-if [ -z ${net} ]; then
-    net=sys-net
-fi
-if [ -z ${fw} ]; then
-    fw=sys-firewall
-fi
-if [ -z ${ptype} ]; then
-    ptype=tcp
-fi
-fwip=`qvm-run -p -u root ${fw} "ifconfig eth0 | grep 'inet ' | column -t | cut -d ' ' -f3"`
-vmip=`qvm-run -p -u root ${appvm} "ifconfig eth0 | grep 'inet ' | column -t | cut -d ' ' -f3"`
-vpnip=`qvm-run -p -u root ${vpn} "ifconfig eth0 | grep 'inet ' | column -t | cut -d ' ' -f3"`
-
-echo ${dev} ${externip}
-echo ${net} 
-echo ${fw} ${fwip}
-echo ${vpn} ${vpnip}
-echo ${appvm} ${vmip}
-exenet="iptables -t nat -A PREROUTING -i ${dev} -p ${ptype} --dport ${port} -d ${externip} -j DNAT --to-destination ${fwip} && \
-    iptables -I FORWARD 2 -i ${dev} -d ${fwip} -p ${ptype} --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
-qvm-run -p -u root ${net} "${exenet}"
-exefw="iptables -t nat -A PREROUTING -i eth0 -p ${ptype} --dport ${port} -d ${fwip} -j DNAT --to-destination ${vpnip} && \
-    iptables -I FORWARD 2 -i eth0 -d ${vpnip} -p ${ptype} --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
-qvm-run -p -u root ${fw} "${exefw}"
-exevpn="iptables -t nat -A PREROUTING -i eth0 -p ${ptype} --dport ${port} -d ${vpnip} -j DNAT --to-destination ${vmip} && \
-    iptables -I FORWARD 2 -i eth0 -d ${vmip} -p ${ptype} --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
-qvm-run -p -u root ${vpn} "${exevpn}"
-exevm="iptables -I INPUT 5 -p ${ptype} --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
-qvm-run -p -u root ${appvm} "${exevm}"
+#!/bin/sh
+ip() { qvm-ls --raw-data ip -- "$1"; }
+netvm() { qvm-prefs -g -- "$1" netvm; }
+
+forward() {
+	local from_domain=$1
+	local to_domain=$2
+	local port=$3
+	local type=$4
+
+	local from_ip=$(ip "$from_domain")
+	local to_ip=$(ip "$to_domain")
+	iface=$(qvm-run -p -u root "$from_domain" "ifconfig \
+		| grep cast -B 1 --no-group-separator | grep -vE '^(vif|lo)' | grep -oE '^[^: ]+' | head -1")
+
+	[ X"$from_ip" = XNone ] && from_ip=
+
+	echo "$from_domain: forwarding on $iface port $port to $to_domain
+		($from_ip -> $to_ip)" >&2
+	qvm-run -p -u root "$from_domain" \
+		"iptables -t nat -A PREROUTING -i $iface -p $type \
+		--dport $port ${from_ip:+-d} $from_ip \
+		-j DNAT --to-destination $to_ip"
+	qvm-run -p -u root "$from_domain" \
+		"iptables -I FORWARD 2 -i $iface ${to_ip:+-d} $to_ip \
+		-p $type --dport $port -m conntrack --ctstate NEW -j ACCEPT"
+}
+
+input() {
+	local domain=$1
+	local port=$2
+	local type=$3
+
+	echo "$domain: allowing input to port $port" >&2
+	qvm-run -p -u root "$domain" "iptables -I INPUT 5 -p $type \
+		--dport $port -m conntrack --ctstate NEW -j ACCEPT"
+}
+
+recurse_netvms() {
+	local this_dom=$1
+	local port=$2
+	local type=$3
+
+	local outer_dom=$(netvm "$this_dom")
+	if [ -n "$outer_dom" ]; then
+		forward "$outer_dom" "$this_dom" "$port" "$type"
+		recurse_netvms "$outer_dom" "$port" "$type"
+	fi
+}
+
+usage() {
+	echo "Usage: ${0##*/} <vm> <port>" >&2
+	exit 1
+}
+
+[ $# -eq 2 ] || [ $# -eq 3 ] || usage
+type=$3
+if [ -z ${type} ]; then
+  type=$type
+fi 
+input "$1" "$2" ${type}
+recurse_netvms "$1" "$2" ${type}
diff --git a/qvm-exposeip.sh b/qvm-exposeip.sh
@@ -1,25 +1,50 @@
 #!/bin/bash
-#change dev to your exposed device name
-#./qvm-exposeip.sh personal 80
-dev=wlp0s1
-appvm=$1
-port=$2
-fw=$3
-net=$4
+while getopts d:p:P:a:v:n:f option
+do
+    case "${option}"
+    in
+        d) dev=${OPTARG};;
+        p) ptype=${OPTARG};;
+        P) port=${OPTARG};;
+        a) appvm=${OPTARG};;
+        v) vpn=${OPTARG};;
+        n) net=${OPTARG};;
+        f) fw=${OPTARG};;
+    esac
+done
+if [ -z ${dev} ]; then
+    dev=wlp0s1
+fi
+externip=`qvm-run -p sys-net -u root "ifconfig ${dev}" | grep broadcast |col -x | awk '{print $2}'`
+if [ -z ${vpn} ]; then
+    vpn=workVPN
+fi
 if [ -z ${net} ]; then
     net=sys-net
 fi
 if [ -z ${fw} ]; then
     fw=sys-firewall
 fi
-externip=`qvm-run -p ${net} -u root "ifconfig ${dev}" | grep broadcast |col -x | awk '{print $2}'`
-
-fwip=`qvm-ls -n | grep \{${fw}\} | grep Running | column -s '|'  -x -t -o ' '| col -h | cut -f8 | awk '{print $1}'`
-vmip=`qvm-ls -n | grep ${appvm} | grep Running | column -s '|'  -x -t -o ' '| col -h | cut -f8 | awk '{print $1}'`
+if [ -z ${ptype} ]; then
+    ptype=tcp
+fi
+fwip=`qvm-run -p -u root ${fw} "ifconfig eth0 | grep 'inet ' | column -t | cut -d ' ' -f3"`
+vmip=`qvm-run -p -u root ${appvm} "ifconfig eth0 | grep 'inet ' | column -t | cut -d ' ' -f3"`
+vpnip=`qvm-run -p -u root ${vpn} "ifconfig eth0 | grep 'inet ' | column -t | cut -d ' ' -f3"`
 
-exenet="iptables -t nat -A PREROUTING -i ${dev} -p tcp --dport ${port} -d ${externip} -j DNAT --to-destination ${fwip} && iptables -I FORWARD 2 -i ${dev} -d ${fwip} -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
+echo ${dev} ${externip}
+echo ${net} 
+echo ${fw} ${fwip}
+echo ${vpn} ${vpnip}
+echo ${appvm} ${vmip}
+exenet="iptables -t nat -A PREROUTING -i ${dev} -p ${ptype} --dport ${port} -d ${externip} -j DNAT --to-destination ${fwip} && \
+    iptables -I FORWARD 2 -i ${dev} -d ${fwip} -p ${ptype} --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
 qvm-run -p -u root ${net} "${exenet}"
-exefw="iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $port -d ${fwip} -j DNAT --to-destination ${vmip} && iptables -I FORWARD 2 -i eth0 -d ${vmip} -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
+exefw="iptables -t nat -A PREROUTING -i eth0 -p ${ptype} --dport ${port} -d ${fwip} -j DNAT --to-destination ${vpnip} && \
+    iptables -I FORWARD 2 -i eth0 -d ${vpnip} -p ${ptype} --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
 qvm-run -p -u root ${fw} "${exefw}"
-exevm="iptables -I INPUT 5 -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
+exevpn="iptables -t nat -A PREROUTING -i eth0 -p ${ptype} --dport ${port} -d ${vpnip} -j DNAT --to-destination ${vmip} && \
+    iptables -I FORWARD 2 -i eth0 -d ${vmip} -p ${ptype} --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
+qvm-run -p -u root ${vpn} "${exevpn}"
+exevm="iptables -I INPUT 5 -p ${ptype} --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
 qvm-run -p -u root ${appvm} "${exevm}"
diff --git a/qvm-exposeip.sh b/qvm-exposeip.sh
@@ -14,8 +14,8 @@ if [ -z ${fw} ]; then
 fi
 externip=`qvm-run -p ${net} -u root "ifconfig ${dev}" | grep broadcast |col -x | awk '{print $2}'`
 
-fwip=`qvm-ls -n | grep \{${fw}\} | grep Running | col -x | awk '{print $14}'`
-vmip=`qvm-ls -n | grep ${appvm} | grep Running | col -x | awk '{print $13}'`
+fwip=`qvm-ls -n | grep \{${fw}\} | grep Running | column -s '|'  -x -t -o ' '| col -h | cut -f8 | awk '{print $1}'`
+vmip=`qvm-ls -n | grep ${appvm} | grep Running | column -s '|'  -x -t -o ' '| col -h | cut -f8 | awk '{print $1}'`
 
 exenet="iptables -t nat -A PREROUTING -i ${dev} -p tcp --dport ${port} -d ${externip} -j DNAT --to-destination ${fwip} && iptables -I FORWARD 2 -i ${dev} -d ${fwip} -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
 qvm-run -p -u root ${net} "${exenet}"

diff --git a/qvm-exposeip.sh b/qvm-exposeip.sh
@@ -14,8 +14,8 @@ if [ -z ${fw} ]; then
 fi
 externip=`qvm-run -p ${net} -u root "ifconfig ${dev}" | grep broadcast |col -x | awk '{print $2}'`
 
-fwip=`qvm-ls -n | grep \{${fw}\} | col -x | awk '{print $14}'`
-vmip=`qvm-ls -n | grep ${appvm} | col -x | awk '{print $13}'`
+fwip=`qvm-ls -n | grep \{${fw}\} | grep Running | col -x | awk '{print $14}'`
+vmip=`qvm-ls -n | grep ${appvm} | grep Running | col -x | awk '{print $13}'`
 
 exenet="iptables -t nat -A PREROUTING -i ${dev} -p tcp --dport ${port} -d ${externip} -j DNAT --to-destination ${fwip} && iptables -I FORWARD 2 -i ${dev} -d ${fwip} -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
 qvm-run -p -u root ${net} "${exenet}"

diff --git a/qvm-exposeip.sh b/qvm-exposeip.sh
@@ -4,8 +4,8 @@
 dev=wlp0s1
 appvm=$1
 port=$2
-net=$3
-fw=$4
+fw=$3
+net=$4
 if [ -z ${net} ]; then
     net=sys-net
 fi

diff --git a/qvm-exposeip.sh b/qvm-exposeip.sh
@@ -4,7 +4,6 @@
 dev=wlp0s1
 appvm=$1
 port=$2
-externip=`qvm-run -p sys-net -u root "ifconfig ${dev}" | grep broadcast |col -x | awk '{print $2}'`
 net=$3
 fw=$4
 if [ -z ${net} ]; then
@@ -13,6 +12,8 @@ fi
 if [ -z ${fw} ]; then
     fw=sys-firewall
 fi
+externip=`qvm-run -p ${net} -u root "ifconfig ${dev}" | grep broadcast |col -x | awk '{print $2}'`
+
 fwip=`qvm-ls -n | grep \{${fw}\} | col -x | awk '{print $14}'`
 vmip=`qvm-ls -n | grep ${appvm} | col -x | awk '{print $13}'`
 

diff --git a/qvm-exposeip.sh b/qvm-exposeip.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+#change dev to your exposed device name
+#./qvm-exposeip.sh personal 80
+dev=wlp0s1
+appvm=$1
+port=$2
+externip=`qvm-run -p sys-net -u root "ifconfig ${dev}" | grep broadcast |col -x | awk '{print $2}'`
+net=$3
+fw=$4
+if [ -z ${net} ]; then
+    net=sys-net
+fi
+if [ -z ${fw} ]; then
+    fw=sys-firewall
+fi
+fwip=`qvm-ls -n | grep \{${fw}\} | col -x | awk '{print $14}'`
+vmip=`qvm-ls -n | grep ${appvm} | col -x | awk '{print $13}'`
+
+exenet="iptables -t nat -A PREROUTING -i ${dev} -p tcp --dport ${port} -d ${externip} -j DNAT --to-destination ${fwip} && iptables -I FORWARD 2 -i ${dev} -d ${fwip} -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
+qvm-run -p -u root ${net} "${exenet}"
+exefw="iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $port -d ${fwip} -j DNAT --to-destination ${vmip} && iptables -I FORWARD 2 -i eth0 -d ${vmip} -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
+qvm-run -p -u root ${fw} "${exefw}"
+exevm="iptables -I INPUT 5 -p tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"
+qvm-run -p -u root ${appvm} "${exevm}"
No results found