How to forbid unencrypted HTTP traffic (port 80) for Whonix Gateway?


I would like to drop/forbid all outgoing HTTP browser traffic (port 80) with some kind of firewall rule in the Whonix Gateway machine. Instead HTTPS should be used on port 443.

After some research, I have found and edited the whonix-gateway-firewall file in /usr/bin/whonix-gateway-firewall (see github_dot_com/Whonix/whonix-firewall/blob/21b467c/usr/bin/whonix-gateway-firewall#L507-L514):

         ## Catch all remaining TCP and redirect to TransPort.
         ## Only user installed applications not configured to use a SocksPort are affected.
         $iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION" # (1) <---

         ## Optionally restrict TransPort.
         ## Replace above rule with a more restrictive one, e.g.:
         #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION" # (2) <---

, where I replaced (1) by (2) and chose --dports 443 as valid ports.

This works so far, but I guess, it now only allows port 443. Is there a way to adjust the rule to state, that just port 80 is not allowed?

TIA, yanga

Turns out, it was easier than expected - just append a ! to the match extension.

multiport version:

--match multiport ! --dports 80

or just with tcp:

! --dport 80