I want to isolate my hidden service application in an unprivileged LXC, which is available in the latest Ubuntu 14.04. I don’t know much about iptables, so I looked at the Whonix Gateway iptables rules, changing eth1 to lxcbr0. I think it’s still too restrictive. I don’t need the host OS to be a Whonix Gateway per se. I don’t need host OS connections to be torified. My intention is that an attacker inside the LXC can’t determine the IP address by curl’ing, wget’ing or phoning home to his server. If he “breaks out” of the LXC then there are many ways to obtain the IP address and torification of the host OS is useless. Could someone help me refine these iptables rules to allow the host OS to run normally but torify all connections coming from lxcbr0 (the LXC virtual bridge adapter)? Here’s what I have so far. Thanks in advance.
External interface
EXT_IF=“eth0”
Internal interface
INT_IF=“lxcbr0”
Internal “tunnel” interface, usually the same as
the Internal interface unless using vpn tunnels
between workstations and gateway
INT_TIF=“lxcbr0”
Destinations you don not want routed through Tor
NON_TOR_WHONIXG=“192.168.1.0/24 192.168.0.0/24 127.0.0.0/8”
Transparent Proxy Port
TRANS_PORT_WHONIXW=“9040”
DNSPort
DNS_PORT_WHONIXW=“53”
###########################
IPv4 DEFAULTS
###########################
Set secure defaults.
iptables -P INPUT DROP ##### This rule kills my ssh connection too.
FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
iptables -P FORWARD DROP
Only the Tor process is allowed to establish outgoing connections.
iptables -P OUTPUT DROP
###########################
IPv4 PREPARATIONS
###########################
Flush old rules.
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
############################
IPv4 DROP INVALID PACKAGES
############################
DROP INVALID
iptables -A INPUT -m state --state INVALID -j DROP
DROP INVALID SYN PACKETS
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
iptables -A INPUT -f -j DROP
DROP INCOMING MALFORMED XMAS PACKETS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
DROP INCOMING MALFORMED NULL PACKETS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
###########################
IPv4 INPUT
###########################
Traffic on the loopback interface is accepted.
iptables -A INPUT -i lo -j ACCEPT
Established incoming connections are accepted.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Allow incoming SSH connections on the external interface.
iptables -A INPUT -i “$EXT_IF” -p tcp --dport 22 -j ACCEPT
Allow DNS traffic to DNSPort.
iptables -A INPUT -i “$INT_TIF” -p udp --dport 53 -j ACCEPT
Allow TCP traffic TransPort.
iptables -A INPUT -i “$INT_IF” -p tcp --dport “$TRANS_PORT_WHONIXW” -j ACCEPT
Redirect remaining DNS traffic to DNSPORT.
iptables -t nat -A PREROUTING -i “$INT_IF” -p udp --dport 53 -j REDIRECT --to-ports “$DNS_PORT_WHONIXW”
Catch all remaining TCP and redirect to TransPort.
iptables -t nat -A PREROUTING -i “$INT_IF” -p tcp --syn -j REDIRECT --to-ports “$TRANS_PORT_WHONIXW”
Reject anything not explicitly allowed above.
iptables -A INPUT -j DROP
###########################
IPv4 FORWARD
###########################
Reject everything.
iptables -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
###########################
IPv6
###########################
Policy DROP for all traffic as fallback.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
Flush old rules.
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
Allow unlimited access on loopback.
Not activated, since we do not need it.
#ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A OUTPUT -o lo -j ACCEPT
Drop/reject all other traffic.
ip6tables -A INPUT -j DROP
–reject-with icmp-admin-prohibited not supported by ip6tables
ip6tables -A OUTPUT -j REJECT
–reject-with icmp-admin-prohibited not supported by ip6tables
ip6tables -A FORWARD -j REJECT
###########################
End
###########################