[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Gateway iptables rules for Tor and secure IP allocation via DHCP router

Hi,

I would like to configure a basic Debian Wheezy amd64 as a whonix gateway and router for the local network.

  1. Would like the firewall rules (iptables or whatever) as well as the necessary packages to install in order to Torify everything via Tor transparent proxy including DNS so it will be anonymous and also allow hosts to resolve .onion addresses. This should also drop / reject everything non-tcp such as icmp or udp.

  2. since this machine will act as a router also, I would like to have some kind of secure IP allocation (DHCP). The first idea was based on MAC address, but since a MAC address can be spoofed is it better to use switch ports? The goal is to identify each host in the subnet via something and only assign a certain IP address to it, which cannot be changed without the router’s express acceptance.

Last but not least, would like to make all the hosts in the subnet not able to talk to each other and only be able to talk to the router. Let’s assume for simplicity that the router/gateway has the IP 10.0.8.1 and the other hosts in the subnet are 10.0.8.2 and 10.0.8.3 and 10.0.8.4
I want 10.0.8.1 to be able to talk to all the hiosts (1)
all the hosts to be able to talk to 10.0.8.1 (2)
all the hosts NOT to be able to talk to each other, except 10.0.8.1 (e.g. 10.0.8.2 -> 10.0.8.4).

Since we talk about hosts on the same subnet, these packets do not go via the router/gateway so not sure if I can filter them there. How can this be accomplished?

Hard questions…

I would like to configure a basic Debian Wheezy amd64 as a whonix gateway and router for the local network.
Use the amd64 build parameter in build documentation (chapter: 64bit Builds).
1. Would like the firewall rules (iptables or whatever) as well as the necessary packages to install in order to Torify everything via Tor transparent proxy including DNS so it will be anonymous and also allow hosts to resolve .onion addresses. This should also drop / reject everything non-tcp such as icmp or udp.
Package: whonix-gw-firewall https://github.com/Whonix/whonix-gw-firewall

It’s currently load by the whonix-gw-network-conf package. (https://github.com/Whonix/whonix-gw-network-conf)
File: https://github.com/Whonix/whonix-gw-network-conf/blob/master/etc/network/interfaces.whonix
Using “pre-up”.
Once based on jessie, the whonix-gw-firewall package can and will be made more independent. I.e. once jessie, we can use the /etc/network/if-pre-up.d/ hook mechanism:
https://phabricator.whonix.org/T68

I also advice to look though this page:

~110 packages on 5 pages with very short and concise summaries. You can get an overview what Whonix is doing there and pick and choose from there.

2. since this machine will act as a router also, I would like to have some kind of secure IP allocation (DHCP).
Latest considerations on DHCP: https://www.whonix.org/wiki/Dev/DHCP

Main TODO for now:

Help welcome.

The first idea was based on MAC address, but since a MAC address can be spoofed is it better to use switch ports? The goal is to identify each host in the subnet via something and only assign a certain IP address to it, which cannot be changed without the router's express acceptance.
No finished solution for that either.

For basic approaches, see:

I think ARP spoofing defense as mentioned on that wiki page is the most lucrative.

Last but not least, would like to make all the hosts in the subnet not able to talk to each other and only be able to talk to the router. Let's assume for simplicity that the router/gateway has the IP 10.0.8.1 and the other hosts in the subnet are 10.0.8.2 and 10.0.8.3 and 10.0.8.4 I want 10.0.8.1 to be able to talk to all the hiosts (1) all the hosts to be able to talk to 10.0.8.1 (2) all the hosts NOT to be able to talk to each other, except 10.0.8.1 (e.g. 10.0.8.2 -> 10.0.8.4).

Since we talk about hosts on the same subnet, these packets do not go via the router/gateway so not sure if I can filter them there. How can this be accomplished?


Dunno. I advice to wipe “Whonix” from your question. Then make up a question for a simpler, similar environment that does not include Tor-anything. And ask in more specialized places.

Needless to say, if you figure out something. Please report back. Contributions welcome!

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]