I would like to drop/forbid all outgoing HTTP browser traffic (port 80) with some kind of firewall rule in the Whonix Gateway machine. Instead HTTPS should be used on port 443.
After some research, I have found and edited the whonix-gateway-firewall file in
/usr/bin/whonix-gateway-firewall (see github_dot_com/Whonix/whonix-firewall/blob/21b467c/usr/bin/whonix-gateway-firewall#L507-L514):
if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then ## Catch all remaining TCP and redirect to TransPort. ## Only user installed applications not configured to use a SocksPort are affected. $iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION" # (1) <--- ## Optionally restrict TransPort. ## Replace above rule with a more restrictive one, e.g.: #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION" # (2) <--- fi
, where I replaced (1) by (2) and chose
--dports 443 as valid ports.
This works so far, but I guess, it now only allows port 443. Is there a way to adjust the rule to state, that just port 80 is not allowed?