I’ve been playing with the idea of forcing all of the host’s network traffic through the Whonix Gateway. I am trying to use port forwarding so I can access the Gateway’s ports from my host. Like the guide on the wiki.
Then I will use iptables to force all traffic through those ports. The problem is that the Whonix firewall only allows one flashproxy port. I need two. One for TCP traffic and one for DNS.
Would it be possible to add support for multiple flashproxy ports?
Implemented in git master just now. This should be good enough for play.
Untested but pretty sure working. Let me know if it works for you.
On a second thought above feature isn’t ideal for two ports only. There is also:
EXTERNAL_OPEN_PORTS+=" 22 "
EXTERNAL_OPEN_PORTS+=" 80 "
But that is TCP only atm.
whonix-firewall/whonix-gateway-firewall at master · Whonix/whonix-firewall · GitHub
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT
So that wouldn’t work for DnsPort.
That’s now also possible in git master.
When you redirect DNS traffic, open this port:
EXTERNAL_UDP_OPEN_PORTS+=" 5300 "
Interesting. Do you know how to implement an exception for programs under the libvirt user group? This way you are protecting against unintentional host traffic leaks while allowing clearnet traffic from Hardened Debian VMs or other Whonix GWs without running into Tor over Tor.
Whonix-Gateway firewall excludes exceptions for user debian-tor and
clearnet, that is not redirected over Tor.
Yes but I meant the libvirt group on the host being somehow exempted from redirection to the GW. I don’t think this change can be done on the GW but on the host’s IPtables?
Great! Thanks. I’ll try it out.
Yes, I should just be able to use
iptables -A OUTPUT -m owner --gid-owner "libvirt" -j ACCEPT
I think this feature is fantastic and should be implemented for Whonix Desktop as an optional package.
Yes.
I don’t think this change can be done on the GW but on the host’s IPtables?
Indeed. This looks easy on the host but wouldn’t know how to do on the gateway.
Optional sounds good as per:
Optional package maybe not even needed. Could be implemented in https://github.com/Whonix/whonix-host-firewall as optional feature.
(https://github.com/Whonix/whonix-host-firewall should be merged into GitHub - Whonix/whonix-firewall: https://www.whonix.org/wiki/Imprint but that’s future work, do not have to be done in this thread.)
I have no idea how to implement port forwarding for KVM or if it’s even possible which is what Whonix Host will be using. Does anyone know if it’s possible?
Portforwarding with libvirt possible and documented here in this script:
https://aboullaite.me/dynamic-port-forwarding-for-nat-ed-kvm-libvirt-networks/
Great! This will need to be tested. I still haven’t got around to testing it on my own machine yet.
@madaidan I’ve been searching for the topic where you described redirecting host traffic to the GW and blocking everything else. Can’t find it. It seems there was wider interest in the same problem and it may be interesting to have.
Let me know what tpoic this was in and I’ll move this post.
It was the post where I asked for support for multiple flashproxy ports.
That person seemed to want to allow only Gateway traffic rather than force all traffic through the Gateway which can be done by allowing traffic from the libvirt group and blocking all other traffic.