I want to drop all non-Tor traffic in iptables and allow only traffic from Whonix-Gateway virtual machine on the host. My iptables config:
# Generated by iptables-save v1.8.2 on Sat May 18 15:54:56 2019
*filter
:INPUT DROP [21:3717]
:FORWARD DROP [0:0]
:OUTPUT DROP [166:15284]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -m owner --uid-owner tor -j ACCEPT
COMMIT
# Completed on Sat May 18 15:54:56 2019
When I apply this config, I’m only able to do torified upgrades on the host and use torsocks commands. Whonix-Gateway doesn’t have access to the Internet. What I’m doing wrong?
Not an expert on iptables, but it seems your rules exclude everything except localhost. The Gateway “talks” to the external network through a virtual network called “external” or “Whonix-external” depending on your config. Its network by default (with KVM) is 10.0.2.0/24. You might try to allow that one too and see how it behaves.
I use non-qubes Whonix inside VirtualBox on Debian. I’ve set net.ipv4.forwarding=1 in /etc/sysctl.conf. Adding rules such as iptables -A POSTROUTING -s 10.0..2.15 ! -d 10.0.2.15 -j MASQUERADE, iptables -A POSTROUTING -s 10.152.152.10 ! -d 10.152.152.10 -j MASQUERADE nothing helps. I’ve only two network interfaces on the Whonix-Gateway virtual machine - 10.0.2.15 attached to NAT and 10.152.152.10 attached to Whonix internal network.