[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Allow multiple flashproxy ports

I’ve been playing with the idea of forcing all of the host’s network traffic through the Whonix Gateway. I am trying to use port forwarding so I can access the Gateway’s ports from my host. Like the guide on the wiki.

Then I will use iptables to force all traffic through those ports. The problem is that the Whonix firewall only allows one flashproxy port. I need two. One for TCP traffic and one for DNS.

Would it be possible to add support for multiple flashproxy ports?

2 Likes

Implemented in git master just now. This should be good enough for play.

Untested but pretty sure working. Let me know if it works for you.

2 Likes

On a second thought above feature isn’t ideal for two ports only. There is also:

EXTERNAL_OPEN_PORTS+=" 22 "
EXTERNAL_OPEN_PORTS+=" 80 "

But that is TCP only atm.
https://github.com/Whonix/whonix-firewall/blob/master/usr/bin/whonix-gateway-firewall#L392

 $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT

So that wouldn’t work for DnsPort.

1 Like

That’s now also possible in git master.

When you redirect DNS traffic, open this port:

EXTERNAL_UDP_OPEN_PORTS+=" 5300 "
2 Likes

Interesting. Do you know how to implement an exception for programs under the libvirt user group? This way you are protecting against unintentional host traffic leaks while allowing clearnet traffic from Hardened Debian VMs or other Whonix GWs without running into Tor over Tor.

1 Like

Whonix-Gateway firewall excludes exceptions for user debian-tor and
clearnet, that is not redirected over Tor.

Yes but I meant the libvirt group on the host being somehow exempted from redirection to the GW. I don’t think this change can be done on the GW but on the host’s IPtables?

Great! Thanks. I’ll try it out.

Yes, I should just be able to use

iptables -A OUTPUT -m owner --gid-owner "libvirt" -j ACCEPT
2 Likes

I think this feature is fantastic and should be implemented for Whonix Desktop as an optional package.

1 Like

Yes.

I don’t think this change can be done on the GW but on the host’s IPtables?

Indeed. This looks easy on the host but wouldn’t know how to do on the gateway.

Optional sounds good as per:

Optional package maybe not even needed. Could be implemented in https://github.com/Whonix/whonix-host-firewall as optional feature.

(https://github.com/Whonix/whonix-host-firewall should be merged into https://github.com/Whonix/whonix-firewall but that’s future work, do not have to be done in this thread.)

2 Likes

I have no idea how to implement port forwarding for KVM or if it’s even possible which is what Whonix Host will be using. Does anyone know if it’s possible?

1 Like

Portforwarding with libvirt possible and documented here in this script:

2 Likes

Great! This will need to be tested. I still haven’t got around to testing it on my own machine yet.

3 Likes