[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

How do I drop non-Tor traffic in iptables and allow only Whonix-Gateway traffic?

I want to drop all non-Tor traffic in iptables and allow only traffic from Whonix-Gateway virtual machine on the host. My iptables config:

# Generated by iptables-save v1.8.2 on Sat May 18 15:54:56 2019
*filter
:INPUT DROP [21:3717]
:FORWARD DROP [0:0]
:OUTPUT DROP [166:15284]
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -m owner --uid-owner tor -j ACCEPT
COMMIT
# Completed on Sat May 18 15:54:56 2019

When I apply this config, I’m only able to do torified upgrades on the host and use torsocks commands. Whonix-Gateway doesn’t have access to the Internet. What I’m doing wrong?

I don’t see any rule to exclude VM traffic.

For consideration:

Not an expert on iptables, but it seems your rules exclude everything except localhost. The Gateway “talks” to the external network through a virtual network called “external” or “Whonix-external” depending on your config. Its network by default (with KVM) is 10.0.2.0/24. You might try to allow that one too and see how it behaves.

1 Like

I use non-qubes Whonix inside VirtualBox on Debian. I’ve set net.ipv4.forwarding=1 in /etc/sysctl.conf. Adding rules such as iptables -A POSTROUTING -s 10.0..2.15 ! -d 10.0.2.15 -j MASQUERADE, iptables -A POSTROUTING -s 10.152.152.10 ! -d 10.152.152.10 -j MASQUERADE nothing helps. I’ve only two network interfaces on the Whonix-Gateway virtual machine - 10.0.2.15 attached to NAT and 10.152.152.10 attached to Whonix internal network.