Block all traffic except some hidden addresses

How can I modify the Whonix Firewall (or make iptables rules) to block all trafffic that doesn’t go to some specific .onion hidden services and sites? I have a file with .onion addresses of hidden services and web sites, and I want to allow only traffic to those listed .onion urls.


1 Like

I don’t think this can be done at the iptables level, because it has no awareness of domains let alone onions.

This question also qualifies for being asked in a generic way elsewhere, i.e. in the Tor specific support channels. See:

This one is related. But is is a blacklist and you are asking for a whitelist.

Tor - Whonix

Thanks, iptables can know the content of every packet if the rule uses the string match module, but string match acts on layer 7 so is very ineficient.

Thanks, blacklist is the first step to know how to block addresses. Now I know I can write a script that makes all letter combinations (with MapAddress [letters].onion without the ones I want to whitelist, but this will also be ineficient because of the huge file size.


Thanks, blacklist is the first step to know how to block addresses. Now I know I can write a script that makes all letter combinations (with MapAddress [letters].onion without the ones I want to whitelist, but this will also be ineficient because of the huge file size.

Yes that would be interesting. I wonder how much space that would take.
And you might find some interesting bugs in Tor while trying to parse
giant config files. My feelings tells me it will not be feasible using
that way but if you try I would be delighted to learn about your results.

Very interesting! If you get this to work, please educate me.

Long time ago @HulaHoop and me considered something related. Using iptables string match module to filter ControlPort commands. In short: we agreed and concluded that it is not feasible. References:

Interesting, there might be a way to do this.

Drop all incoming/outgoing traffic. Make an exception for a local-only subnet range say 192.168

Use MapAddress to assign private addresses in the whitelisted range to the Onion Services you want to permit.

Some steps that can help:

1 Like

Could Whonix implement 3proxy, it can do much more than what is mentioned in this topic. It supports all types of proxies (http,https,socks4,socks5,…)

whitelist/blacklist using IPs/hostnames, filtering by ports, protocols (http, https, ftp, etc.), filtering by user:password and more

you could specify multiple (wildcard) hostnames, (wildcard) IPs, ports, protocols, users for each rule in a single and short line

Other than these you could chain all kinds of proxies for each allowed rule/connection. Which means as many proxy hops after Tor as you like. it is easy to eliminate DNS leaks and only resolve the hostname at the latest hop of the connection

You could redirect each allowed rule/connection to their own Tor socks port you specified, which could also be set to be randomly chosen from a list of ports you specify for each rule.

I guess you could have multiple Tor Browser or other application instances which could use at least one proxy hop in the end to avoid Cloudflare blocks or for different (anonymity) purposes

Also check: Applications and Stream Isolation - #8 by Patrick

If you are interested I could share some of my simple configurations to literally own the control of all connections

I could imagine multiple 3proxy instances used for different purposes in both gateway and workstation by default and by use case. 3proxy has many more features which could replace and improve existing solutions in Whonix

But all the things above could be done with a single 3proxy instance listening on a single port which I guess should be run in workstation but I’m not sure, I didn’t try 3proxy in Whonix

If this could be done on Whonix, what about Qubes or Qubes-Whonix? Extreme access control or overkill?

Patrick, do you think 3proxy could be considered as an additional firewall for both gateway and workstation considering it can be used to whitelist/blacklist using so many variables? I’m especially wondering if it could help with hardening hidden services.

For this very thread, please let’s discuss 3proxy to the extend of the subject Block all traffic except some hidden addresses.

For other 3proxy discussions, please open a separate thread.

Sure. Might be interesting. Feel free to share in a appropriate thread.

Patrick, 3proxy has a very interesting option to use regex to match or even replace content in the connection. I didn’t use it enough but unless I’m mistaken it could solve most of your problems that you described in a post above and even enhance data security in ways that is only limited to imagination

There is also a file at the bottom as an example usage.

Actually there are so many ways to benefit from 3proxy in Whonix it just needs time to find out them all.

For example 3proxy is able to limit bandwidth and/or total traffic size for a port which should help with hardening many things with Tor/Whonix. All at the same time with the blacklist/whitelist/redirecting/chaining and regex match or replace features

Sorry for being off-topic but some use cases for 3proxy regex includes blocking any connection that may include metadata or some kind of identifying information or similar. It would log these in a file which could be a source of information for whonixcheck to regularly check so that it could report Whonix blocked a XXX attempt by XXX

It could modify/delete headers which could help with modifying/removing identifying information in non-ssl connections made by badly configured applications or it could even turn a non-safe browser headers into a Tor Browser-identical one. it also has an ssl plugin to decrypt traffic but I’m not sure if that helps us or not

it could limit bandwidth or traffic size for hidden services or applications and it is also possible to set date or time limits for access