whonix, torrents, and being a good tor citizen

Development
43

Working notes … final.

[quote]whonix, torrents, and being a good tor citizen

There are 2 issues:

  1. Identifying / corralling net traffic.
  2. Proxying (udp / socks5) / anonymizing such traffic.

    So, for 2 - VPN. From a trusted provider.

For 1, part a, identifying particular traffic and constraining as desired, runfromiptcpudp as discussed.
[/quote]

Concluding here with 1, Solution part b: Permitting and appropriately routing the designated traffic.

Note: Presented is a way of whonix, torrents, and being a good tor citizen. Proof of concept. Only. Although the steps and details are correct, the specifics of implementing them are suitable only for individual experimentation and use. For general use or implementation, a more robust installation would be required. See Bolt on for whonix_firewall - best place to put files? for such beginnings, and particularly Dev/Firewall Refactoring.

Environment: For the purposes of development / proof of concept, whonix_firewall was ‘cloned’ (and gutted) to whonix_firewall-post, and associated /etc/whonix_firewall-post.d directory clone of /etc/whonix_firewall.d created.(Thank you Patrick!) Specifics can be seen at whonix-torexceptedtraffic_proofofconcept Only the summary / details are shown below.

Assumption: Appropriate settings placed in a file in /etc/whonix_firewall.d, as per /etc/whonix_firewall/30_default, settings such as ‘50_user.conf’:
VPN_FIREWALL=1
VPN_SERVERS=“10.0.1.2”
VPN_INTERFACE=tun0
LOCAL_NET="
127.0.0.0-127.0.0.24
192.168.2.1-192.168.2.1
10.152.152.0-10.152.152.24
10.0.2.2-10.0.2.24
"

On Whonix Gateway:

Preparation:
(1) /usr/local/bin/whonix_firewall-post - essentially just the top part of whonix_firewall, the sourcing and executing of files within a designated .d directory.
(2) /etc/whonix_firewall-post.d/30_lastrules_to_envvars - essentially just the environment variables of whonix_firewall, -and- the storing of the last / dropping rules of each chain, so that iptables changes can be modularly implemented.

  • Each .d file utilizes a lock file so it can’t run twice / double iptables rules.

e.g.:
# Delete old iptables INPUT last rule.
$iptables_cmd -D $IPT_FILTER_INPUT_LASTRULE

< insert appropriate iptables script lines for this module >

Reapply old iptables INPUT last rule.

$iptables_cmd -A $IPT_FILTER_INPUT_LASTRULE

Note: This is NOT how whonix would implement this facility. This mechanism is only useful during the process of development / debugging / discerning correct steps. See Bolt on for whonix_firewall - best place to put files? and/or Dev/Firewall Refactoring for a better implementation mechanism.

/etc/whonix_firewall-post.d/70_torexcept:
iam=$(basename $BASH_SOURCE)
mylockfile=/run/lock/WFP_${iam}_run

if [ -e “$mylockfile” ]; then
echo ; echo $iam already run, lockfile $mylockfile present. Returning without running.
return 0
fi

echo ; echo Running $iam, setting lockfile ${mylockfile}.
touch $mylockfile

whonix_firewall permits multiple VPN servers to be specified, space separated.

iptables, OTOH, requires the servers to be comma separated.

VPNIPS=“${VPN_SERVERS// /,}”
echo -e “\nExtrapolating VPN IPs of ‘$VPNIPS’ from ‘$VPN_SERVERS’.\n”

For the moment, put in log entries … skipped for the purposes of this forum thread.

Note that iptables -t nat INPUT, OUTPUT, and POSTROUTING, default to accept.

- note that -t nat OUTPUT RETURNS if uid cleanet.

Note: whonix_firewall INPUT rules:

- drop all weird/erroneous things

- accept all in from lo

- accept all established

- deny all icmp

- allow all in from tun0

- drop all (last rule)

set -v -x

----------------------------------------

Delete current iptables INPUT last rule.

$iptables_cmd -D $IPT_FILTER_INPUT_LASTRULE

{Placeholder Line: Turns out no rules needed. Logging rules in ‘source’ file handy.}

Reapply old iptables INPUT last rule.

$iptables_cmd -A $IPT_FILTER_INPUT_LASTRULE

---------------------------------------

Note: whonix_firewall FORWARD REJECT all (last rule)

---------------------------------------

Delete current iptables FORWARD last rule.

$iptables_cmd -D $IPT_FILTER_FORWARD_LASTRULE

$iptables_cmd -A FORWARD -i $INT_IF -o $VPN_INTERFACE -s $XCEPTIP -j ACCEPT
$iptables_cmd -A FORWARD -i $VPN_INTERFACE -o $INT_IF -d $XCEPTIP -j ACCEPT

Torrents want to talk to VPN server (presumably) to open ports for

forwarding. (*1)

$iptables_cmd -A FORWARD -i $INT_IF -s $XCEPTIP -d $VPNIPS -j ACCEPT

Reapply old iptables FORWARD last rule.

$iptables_cmd -A $IPT_FILTER_FORWARD_LASTRULE

---------------------------------------

Note: whonix_firewall OUTPUT rules:

- reject all weird/erroneous things

- accept all to tun0

- accept all established

- accept all LOCAL_NETS

- accept all to vpn server ip

- accept all from clearnet userid

- reject all (last rule)

---------------------------------------

Delete current iptables OUTPUT last rule.

iptables -D $IPT_FILTER_OUTPUT_LASTRULE

{Placeholder Line: Turns out no rules needed. Logging rules in ‘source’ file handy.}

Reapply old iptables FORWARD last rule.

$iptables_cmd -A $IPT_FILTER_OUTPUT_LASTRULE

---------------------------------------

Note: whonix_firewall -t nat PREROUTING rules:

- redir (incoming) eth1 tor/9xxx ports to self (tor) equivalents.

- redir eth1 udp/dns to self (tor) :5300

- redir eth1 tcp to self: 9040 (tor) (last rule)

---------------------------------------

Delete old iptables -t nat PREROUTING last rule.

$iptables_cmd -t nat -D $IPT_NAT_PREROUTING_LASTRULE

$iptables_cmd -t nat -I PREROUTING -i $INT_IF -s $XCEPTIP -j ACCEPT

Reapply old iptables -t nat PREROUTING last rule.

$iptables_cmd -t nat -A $IPT_NAT_PREROUTING_LASTRULE

---------------------------------------

Note: whonix_firewall -t nat INPUT rules: none.

- Default ACCEPT, so won’t be in any way.

Note: whonix_firewall -t nat OUTPUT rules: none.

- Default ACCEPT, so won’t be in any way.

Note: whonix_firewall -t nat POSTROUTING rules: none.

- Default ACCEPT, so won’t be in any way.

---------------------------------------

Delete old iptables -t nat POSTOUTING last rule.

- except … it doesn’t currently have any rules.

$iptables_cmd -t nat -D $IPT_NAT_POSTROUTING_LASTRULE

iptables -t nat -A POSTROUTING -o $VPN_INTERFACE -s $XCEPTIP -j MASQUERADE

See (*1).

$iptables_cmd -t nat -A POSTROUTING -s $XCEPTIP -d $VPNIPS -j MASQUERADE

Reapply old iptables -t nat POSTROUTING last rule.

$iptables_cmd -t nat -A $IPT_NAT_POSTROUTING_LASTRULE

---------------------------------------

set +v +x
echo

Enable forwarding.

echo -n "/proc/sys/net/ipv4/ip_forward \(forwarding\) was: "
cat /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -n "/proc/sys/net/ipv4/ip_forward \(forwarding\) now: "
cat /proc/sys/net/ipv4/ip_forward

return 0

To effect: $ sudo whonix_firewall-post


Complete and more extensive details can be seen at whonix-torexceptedtraffic_proofofconcept

fini


Comments, suggestions, welcome.