If in the HOST: iptables -t nat -A PREROUTING ! -i lo -p tcp -j REDIRECT --to-port 1023 not sent packet to vnet2 -- vnet1 (eth0 -- eth1) | tcpdump -i virbr1 (not tcp packet)
Why not isolate the network stack on the host from the guest ? In this
so-called isolated network. How to solve this problem… VBox
everything works without problems.
Whonix KVM uses a “very private” isolated network that cannot communicate with the host. Note that the internal network is called “Whonix” not isolnet.
A valid network definition can contain no IPv4 or IPv6 addresses. Such a definition can be used for a “very private” or “very isolated” network since it will not be possible to communicate with the virtualization host via this network. However, this virtual network interface can be used for communication between virtual guest systems. This works for IPv4 and (Since 1.0.1) IPv6. However, the new ipv6=‘yes’ must be added for guest-to-guest IPv6 communication.
Thank the reply!
Yes I create isolnet network from xml file (download whonix) .
virbr1 Link encap:Ethernet HWaddr
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
virbr1 no ip address/ no default getway
But as you can see not working is the isolation of the network stack. What can be the reason?
I could be missing something but I don’t see what the problem is.
The way libvirt networking works is it creates different network types using the host’s iptables/ebtables. What you are seeing is an isolated virtual bridge that only connects VMs assigned to it together.
No. 1. I need ( host and W-G) routed all tcp traffic ssh (redsocks). I managed to do that.
2. If iptables -t nat -A PREROUTING ! -i lo -p tcp -j REDIRECT --to-port 1023 tcpdump -i virbr1 (not tcp packet)
virbr1 – routed traffic on 1023 port / Workstation no internet =) no sent packets vnet2 – vnet1
VBox work fine
WG - Workstation ( no connect )
I don’t think we have this documented for Whonix KVM.
As per Free Support Principle, I suggest to create a non-Whonix, plain Debian KVM VM first. Then figure out how to connect from the host to a port inside that Debian VM. Then have second plain Debian (non-Whonix) VM connected through an isolated network (similar to the Whonix configuration) to the first Debian VM. Once that all was figured out, you may be capable to add Whonix into the mix. Adding Whonix into the mix from start would make all of this a lot more difficult since you would have multiple sources of issues (not just figuring out how to do this in the first place but also how to do this while not having Whonix stream isolation and Whonix firewall getting into the way).