srchosts note

Readme.md

@@ -134,6 +134,9 @@ Of course `expire=` and `comment=` are optional fields.
 
 ### Required rules
 
+#### External
+
+***srchost and srcports support yet to be written here ***
 In `<networkvm>`:
 
 ```
@@ -150,6 +153,20 @@ iptables -I FORWARD 2 -i <interface> -d <appvm_ip> -p tcp --dport <target_port>
 nft add rule ip qubes-firewall forward meta iifname <interface> ip daddr <appvm_ip> tcp dport <target_port> ct state new counter accept
 ```
 
+in `<appvm>`:
+```
+iptables -w -I INPUT 5 -d <appvm_ip> -p tcp --dport <target_port> -m conntrack --ctstate NEW -j ACCEPT
+```
+
+#### Internal
+In `<firewallvm>`:
+
+```
+iptables -t nat -A PREROUTING -i <interface> -p tcp --dport <target_port> -d <firewallvm_ip> -j DNAT --to-destination <appvm_ip>
+iptables -I FORWARD 2 -i <interface> -d <appvm_ip> -p tcp --dport <target_port> -m conntrack --ctstate NEW -j ACCEPT
+nft add rule ip qubes-firewall forward meta iifname <interface> ip daddr <appvm_ip> tcp dport <target_port> ct state new counter accept
+```
+
 in `<appvm>`:
 ```
 iptables -w -I INPUT 5 -d <appvm_ip> -p tcp --dport <target_port> -m conntrack --ctstate NEW -j ACCEPT