Information
ID: 272
PHID: PHID-TASK-k57vz3sxhseubse73vhl
Author: nrgaway
Status at Migration Time: resolved
Priority at Migration Time: Needs Triage
Description
Initial build of Whonix 10 is successful, however there are still some configuration options I need to sort out. The first issue I have come across is a firewall startup failure as shown below. Currently looking into what the cause of this error is.
root@host:/usr/lib/qubes-whonix/init# /usr/bin/whonix_firewall
OK: Loading Whonix firewall...
OK: TOR_USER: 105
OK: CLEARNET_USER: 1001
OK: USER_USER: 1000
OK: ROOT_USER: 0
iptables: Chain already exists.
##################################################
Whonix firewall script failed!
##################################################
Comments
Patrick
2015-04-22 22:58:47 UTC
nrgaway
2015-04-22 23:34:05 UTC
Yes, I have identified the section that is causing issues…
This is what is being search for…
## IPv4 DROP INVALID INCOMING PACKAGES
and now there is also:
## IPv4 DROP INVALID INCOMING PACKAGES POST HOOK
Yes, you were correct. Fixed.
You mentioned that I may not need to patch the script for Whonix 10. It does not look like there is a hook in the first location listed above to do so, so I will continue with the patch which consists of:
## --- THE FOLLOWING WS INJECTED ---
## Qubes Tiny Proxy Updater
iptables -t nat -N PR-QBS-SERVICES
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to 10.137.5.1:53
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to 10.137.5.1:9040
# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
#iptables -t nat -A OUTPUT -s 10.137.5.1 -d 10.137.5.1 -j DNAT --to-destination 127.0.0.1