sys-whonix handles packets like any other Linux distribution - using routing tables and iptables. Perhaps you are referring to Tor’s handling of packets instead. Tor receives traffic through the INPUT filter, wraps it up, then sends it out through the OUTPUT filter. So strictly speaking, Tor is not a FORWARDing process.
Forgot about this thread but indeed, I have played around a bit. Since you are a Qubes-Whonix user, I originally wanted to suggest using a proxyVM as a mini-LAN router. While trivial to set up, it has a major flaw. It doesn’t allow IsolateClientAddr
to work because all client IPs are MASQUERADE
d - so only partial (weak) stream isolation.
To do what you want, you have to modify Whonix-Gateway templateVM (or use a bind dir?) which sometimes runs the risk of leading to future breakage or leaks. If you’re comfortable with that, here are some examples you can add to /usr/bin/whonix_firewall
’s IPv4 FORWARD section. Use one of the examples below:
### Enable 2-way inter-VM traffic. All protocols allowed, including ICMP (ping).
$iptables_cmd -I FORWARD 1 -i vif+ -o vif+ -j ACCEPT
### Enable 1-way inter-VM traffic. Limit to specific IPs. TCP only.
$iptables_cmd -I FORWARD 1 -i vif+ -o vif+ -m state --state RELATED,ESTABLISHED -j ACCEPT
$iptables_cmd -I FORWARD 2 -i vif+ -s <source.ip.address> -o vif+ -d <dest.ip.address> -p tcp -j ACCEPT
Also, enable FORWARD filter: [not leak tested with Whonix! Do so at your own risk!]
sudo mv /etc/sysctl.d/ipv4-forward-disable.conf /etc/sysctl.d/ipv4-forward-enable.conf
sudo nano /etc/sysctl.d/ipv4-forward-enable.conf
# Replace '0' with '1'
Reboot.