[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Torifying a Linux Container with Whonix Gateway Firewall Rules

I want to isolate my hidden service application in an unprivileged LXC, which is available in the latest Ubuntu 14.04. I don’t know much about iptables, so I looked at the Whonix Gateway iptables rules, changing eth1 to lxcbr0. I think it’s still too restrictive. I don’t need the host OS to be a Whonix Gateway per se. I don’t need host OS connections to be torified. My intention is that an attacker inside the LXC can’t determine the IP address by curl’ing, wget’ing or phoning home to his server. If he “breaks out” of the LXC then there are many ways to obtain the IP address and torification of the host OS is useless. Could someone help me refine these iptables rules to allow the host OS to run normally but torify all connections coming from lxcbr0 (the LXC virtual bridge adapter)? Here’s what I have so far. Thanks in advance.

External interface

EXT_IF=“eth0”

Internal interface

INT_IF=“lxcbr0”

Internal “tunnel” interface, usually the same as

the Internal interface unless using vpn tunnels

between workstations and gateway

INT_TIF=“lxcbr0”

Destinations you don not want routed through Tor

NON_TOR_WHONIXG=“192.168.1.0/24 192.168.0.0/24 127.0.0.0/8”

Transparent Proxy Port

TRANS_PORT_WHONIXW=“9040”

DNSPort

DNS_PORT_WHONIXW=“53”

###########################

IPv4 DEFAULTS

###########################

Set secure defaults.

iptables -P INPUT DROP ##### This rule kills my ssh connection too.

FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.

iptables -P FORWARD DROP

Only the Tor process is allowed to establish outgoing connections.

iptables -P OUTPUT DROP

###########################

IPv4 PREPARATIONS

###########################

Flush old rules.

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

############################

IPv4 DROP INVALID PACKAGES

############################

DROP INVALID

iptables -A INPUT -m state --state INVALID -j DROP

DROP INVALID SYN PACKETS

iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS

iptables -A INPUT -f -j DROP

DROP INCOMING MALFORMED XMAS PACKETS

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

DROP INCOMING MALFORMED NULL PACKETS

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

###########################

IPv4 INPUT

###########################

Traffic on the loopback interface is accepted.

iptables -A INPUT -i lo -j ACCEPT

Established incoming connections are accepted.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow incoming SSH connections on the external interface.

iptables -A INPUT -i “$EXT_IF” -p tcp --dport 22 -j ACCEPT

Allow DNS traffic to DNSPort.

iptables -A INPUT -i “$INT_TIF” -p udp --dport 53 -j ACCEPT

Allow TCP traffic TransPort.

iptables -A INPUT -i “$INT_IF” -p tcp --dport “$TRANS_PORT_WHONIXW” -j ACCEPT

Redirect remaining DNS traffic to DNSPORT.

iptables -t nat -A PREROUTING -i “$INT_IF” -p udp --dport 53 -j REDIRECT --to-ports “$DNS_PORT_WHONIXW”

Catch all remaining TCP and redirect to TransPort.

iptables -t nat -A PREROUTING -i “$INT_IF” -p tcp --syn -j REDIRECT --to-ports “$TRANS_PORT_WHONIXW”

Reject anything not explicitly allowed above.

iptables -A INPUT -j DROP

###########################

IPv4 FORWARD

###########################

Reject everything.

iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited

###########################

IPv6

###########################

Policy DROP for all traffic as fallback.

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

Flush old rules.

ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X

Allow unlimited access on loopback.

Not activated, since we do not need it.

#ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A OUTPUT -o lo -j ACCEPT

Drop/reject all other traffic.

ip6tables -A INPUT -j DROP

–reject-with icmp-admin-prohibited not supported by ip6tables

ip6tables -A OUTPUT -j REJECT

–reject-with icmp-admin-prohibited not supported by ip6tables

ip6tables -A FORWARD -j REJECT

###########################

End

###########################

I should add that my torrc running on the host OS is configured like this.

VirtualAddrNetworkIPv4 10.192.0.0/10
AutoMapHostsOnResolve 1
TransPort 9040
DNSPort 53

Also, the lxcbr0 gateway is 10.0.3.1 and all Linux containers are given IP addresses in the 10.0.3.0/24 space.

I was told that this might work but haven’t tried it yet.

#!/bin/sh
NON_TOR=“192.168.1.0/24 10.0.2.0/24 10.0.3.0/24” # First and second range should be changed based on actual external network
TOR_UID="x"
TRANS_PORT="9040"
INT_IF="lxcbr0"
iptables -F
iptables -t nat -F
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
for NET in $NON_TOR; do
iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
done
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT

This question is as difficult as “can you port Whonix to KVM?” Big effort.

Unfortunately our old leak testing thread for Whonix/KVM was lost together with our old AWCforum, would have given an idea how much is involved.

Some comments:

Eventually someone on the tor-talk mailing list will have something to contribute.

Looks to me, this one will require someone to do the hard work, to doing original research.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]