What happens if an app using the trans port (no proxy support or broken proxy support) needs to access a web server using any of the predefined ports, like http://someserver:9189/index.html?
In this case don’t the REDIRECT rules above cause the request to go to the gateway’s local 9189 tor socks port instead of the tor trans port (9040)? And presumably fail since they expect a socks comm?
How do you work around that case? Try to uwt or proxychains aorund the app and give it its own tor socks port? And what if the wrappers don’t work?
This is semi-hypothetical but I’m curious about those rules. The redirects for 53 and 9040 are a given, but why don’t 9188, 9189, etc. match on the destination IP (-d 10.152.152.10) in addition to the port?
I have a question about the whonix gateway iptables prerouting. It
looks like this: -A PREROUTING -i eth1 -p tcp -m tcp --dport
9186 -j REDIRECT --to-ports 9186 -A PREROUTING -i eth1 -p tcp -m tcp
--dport 9187 -j REDIRECT --to-ports 9187 -A PREROUTING -i eth1 -p tcp
-m tcp --dport 9188 -j REDIRECT --to-ports 9188 -A PREROUTING -i eth1
-p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189 -A PREROUTING
-i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300 -A
PREROUTING -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j
REDIRECT --to-ports 9040
What happens if an app using the trans port (no proxy support or
broken proxy support) needs to access a web server using any of the
predefined ports, like http://someserver:9189/index.html?
In this case don’t the REDIRECT rules above cause the request to go
to the gateway’s local 9189 tor socks port instead of the tor trans
port (9040)? And presumably fail since they expect a socks comm?
How do you work around that case? Try to uwt or proxychains aorund
the app and give it its own tor socks port? And what if the wrappers
don’t work?
It will just work. You’re confusing the levels. http://practically-some-IP:9189/index.html is inside the connection. Not
being touched by iptables. It’s the remote IP/port, not the local one.
In essence with the new rules, the 80 and 443 rules REDIRECT does almost nothing but make an exception to the trans port REDIRECT rule. If you don’t match on the gateway IP (as added above), the rules intercept traffic bound for the trans port on those ports (and sends them to 10.152.152.10:80 and 10.152.152.10:443 instead of 10.152.152.10:9040).
but the result is the same. The ports are accessible as socks ports when added in Iceweasel (SOCKS5 10.152.152.152:443), but trans port (no proxy) doesn’t work.
I was not aware of socks ports able to double as trans ports. Can they do that? Any extra configuration needed other than the above?
Accessing a port on the gateway is different from accessing a remote port. Using Whonix-Gateway as a gateway won’t trigger these redirection rules. The workstation asks the gateway to forward the request. Not to access a specific port on the gateway.
Just now tested this. Added redirection for port 80 and 443. But did not add new Tor SocksPorts. Then used the non-uwt wrapped (!) version of curl and was still able to access 80/443 on remote web servers.
Thanks, but I did everything listed in those two commits and I had already added the filter rule. I could contact the socks port just fine with socks-aware app.
I’m afraid I don’t see how it could work on your end.
Let’s take the simplest case you just stated again.
Here is the output that I get with orig curl with default Whonix Gateway and Workstation, on Workstation:
user@host:~$ sudo /usr/bin/curl.anondist-orig https://www.whonix.org -q -o /dev/null -w "HTTP CODE: %{http_code}\n"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 57208 0 57208 0 0 28787 0 --:--:-- 0:00:01 --:--:-- 28776
HTTP CODE: 200
Looks good.
Now I go to the Gateway and add a redirect rule on the fly:
Then back on Worktation, run same command as before:
user@host:~$ sudo /usr/bin/curl.anondist-orig https://www.whonix.org -q -o /dev/null -w "HTTP CODE: %{http_code}\n"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:02:06 --:--:-- 0HTTP CODE: 000
curl: (7) Failed to connect to www.whonix.org port 443: Connection timed out
If you have something simpler in mind, please write a pull request.
I was wondering about refactoring the firewall anyhow. Too many separate
socks ports firewall rules now. Either looping through all of them. Or
relaxing the firewall. There is probably no point in keeping all ports
on the internet interface (eth1) closed but to open the ones where Tor
or cpfpy is listening. Perhaps it would be simple to keep gateway eth1
completely reachable from the workstation.
Without blocking all incoming ports by default on eth1, Tor should be
directly reachable. I mean, there should be no need for any iptables
accept or redirect rules.
Before I do more extensive changes, I need to setup a corridor proxy for
better leak detection. Perhaps package corridor. I don’t know yet when I
get to this.
Well, when I run firewall unload on the Gateway and try to reach a site over trans port on the Workstation, it doesn’t work. On the config I have in front of me, the trans port functionality clearly depends on the rule:
And afaik PREROUTING nat rules will preempt everything else the gateway does, so these rules would probably take priority regardless (unless there was more tunneling I’m not aware of being done on the Workstation side, but not on my system…).
I guess the only real suggestion I make is to add “-d 10.152.152.10” to the SOCKS PREROUTING rules. But afterward they can probably simplify (but doesn’t change anything more) to:
I wrote it with the presumption that regardless of whether it affects Whonix 12 and everyone or just me for some reason, the suggested change would be logical to have.