Gateway PREROUTING rules for SOCKS ports may interfere with trans port traffic


ID: 462
PHID: PHID-TASK-76fnafckq22lzsyms2tx
Author: bubblewap
Status at Migration Time: resolved
Priority at Migration Time: Normal


Hello again,

This follows from a discussion in:

The nat PREROUTING rules of Whonix Gateway firewall for all SOCKS ports should probably match on the gateway IP address in addition to the port.

The current rules resolve to (gotten from iptables-save):

PREROUTING -i eth1 -p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189

They should probably be:

PREROUTING -i eth1 -d -p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189

They can probably be further simplified to:

PREROUTING -i eth1 -d -p tcp -m tcp --dport 9189 -j ACCEPT

(but this is not well tested)

On my system, if the rules do not match on the gateway IP address, the rules interfere with Trans port communication for packets going out (via trans port 9040) with the same destination port as any of the socks ports, effectively blocking them.

Based on the previous discussion, it is not clear that this poses an issue for everyone, or in what cases it applies exactly, but on my system (Whonix 11 dist-upgraded), the problem is always reproducible. Adding a socks port and rules for port 443 using existing Whonix rules on the gateway - this results in “curl.anondist-orig” no longer working on the workstation. Adding “-d” works and I believe would be logical to have in any case.

Note the DNS and Trans port PREROUTING rules must remain the way they are, those ones are ok, it’s only the socks ports rules that may have an issue.



2016-01-05 00:47:21 UTC


2016-01-05 01:58:53 UTC


2016-01-05 02:22:39 UTC


2016-01-05 05:10:00 UTC


2016-04-05 16:13:22 UTC


2016-01-05 12:57:42 UTC


2016-01-05 12:58:48 UTC


2016-01-05 13:43:43 UTC


2016-10-12 18:08:02 UTC


2016-10-12 22:48:58 UTC