How do I drop non-Tor traffic in iptables and allow only Whonix-Gateway traffic?

I want to drop all non-Tor traffic in iptables and allow only traffic from Whonix-Gateway virtual machine on the host. My iptables config:

# Generated by iptables-save v1.8.2 on Sat May 18 15:54:56 2019
:INPUT DROP [21:3717]
:OUTPUT DROP [166:15284]
-A INPUT -s -d -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner tor -j ACCEPT
# Completed on Sat May 18 15:54:56 2019

When I apply this config, I’m only able to do torified upgrades on the host and use torsocks commands. Whonix-Gateway doesn’t have access to the Internet. What I’m doing wrong?

I don’t see any rule to exclude VM traffic.

For consideration:

Not an expert on iptables, but it seems your rules exclude everything except localhost. The Gateway “talks” to the external network through a virtual network called “external” or “Whonix-external” depending on your config. Its network by default (with KVM) is You might try to allow that one too and see how it behaves.

1 Like

I use non-qubes Whonix inside VirtualBox on Debian. I’ve set net.ipv4.forwarding=1 in /etc/sysctl.conf. Adding rules such as iptables -A POSTROUTING -s 10.0..2.15 ! -d -j MASQUERADE, iptables -A POSTROUTING -s ! -d -j MASQUERADE nothing helps. I’ve only two network interfaces on the Whonix-Gateway virtual machine - attached to NAT and attached to Whonix internal network.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]