1 |
|
2 |
|
3 |
|
4 |
I need to allow only traffic from Whonix-Gateway virtual machine and drop the rest on the host. Only allowed traffic on the host are torified system upgrades. I use qemu-kvm for virtualization.
|
5 |
|
6 |
ifconfig -a output:
|
7 |
|
8 |
|
9 |
|
10 |
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 |
11 |
ether 00:d8:61:44:3b:36 txqueuelen 1000 (Ethernet) |
12 |
RX packets 0 bytes 0 (0.0 B) |
13 |
RX errors 0 dropped 0 overruns 0 frame 0 |
14 |
TX packets 0 bytes 0 (0.0 B) |
15 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
16 |
device interrupt 18 |
17 |
|
18 |
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 |
19 |
inet 127.0.0.1 netmask 255.0.0.0 |
20 |
inet6 ::1 prefixlen 128 scopeid 0x10<host> |
21 |
loop txqueuelen 1000 (Local Loopback) |
22 |
RX packets 500 bytes 42572 (41.5 KiB) |
23 |
RX errors 0 dropped 0 overruns 0 frame 0 |
24 |
TX packets 500 bytes 42572 (41.5 KiB) |
25 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
26 |
|
27 |
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 |
28 |
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 |
29 |
ether d6:89:5d:25:a7:35 txqueuelen 1000 (Ethernet) |
30 |
RX packets 0 bytes 0 (0.0 B) |
31 |
RX errors 0 dropped 0 overruns 0 frame 0 |
32 |
TX packets 0 bytes 0 (0.0 B) |
33 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
34 |
|
35 |
virbr1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 |
36 |
inet 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 |
37 |
ether ba:50:e8:19:d8:e0 txqueuelen 1000 (Ethernet) |
38 |
RX packets 7380 bytes 1662540 (1.5 MiB) |
39 |
RX errors 0 dropped 0 overruns 0 frame 0 |
40 |
TX packets 10658 bytes 16217005 (15.4 MiB) |
41 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
42 |
|
43 |
virbr2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 |
44 |
ether 92:eb:60:36:5b:ec txqueuelen 1000 (Ethernet) |
45 |
RX packets 3 bytes 84 (84.0 B) |
46 |
RX errors 0 dropped 0 overruns 0 frame 0 |
47 |
TX packets 120 bytes 5040 (4.9 KiB) |
48 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
49 |
|
50 |
virbr0-nic: flags=4098<BROADCAST,MULTICAST> mtu 1500 |
51 |
ether 52:54:00:2c:eb:d5 txqueuelen 1000 (Ethernet) |
52 |
RX packets 0 bytes 0 (0.0 B) |
53 |
RX errors 0 dropped 0 overruns 0 frame 0 |
54 |
TX packets 0 bytes 0 (0.0 B) |
55 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
56 |
|
57 |
virbr1-nic: flags=4098<BROADCAST,MULTICAST> mtu 1500 |
58 |
ether 52:54:00:8b:c2:e1 txqueuelen 1000 (Ethernet) |
59 |
RX packets 0 bytes 0 (0.0 B) |
60 |
RX errors 0 dropped 0 overruns 0 frame 0 |
61 |
TX packets 0 bytes 0 (0.0 B) |
62 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
63 |
|
64 |
virbr2-nic: flags=4098<BROADCAST,MULTICAST> mtu 1500 |
65 |
ether 52:54:00:98:1e:82 txqueuelen 1000 (Ethernet) |
66 |
RX packets 0 bytes 0 (0.0 B) |
67 |
RX errors 0 dropped 0 overruns 0 frame 0 |
68 |
TX packets 0 bytes 0 (0.0 B) |
69 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
70 |
|
71 |
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 |
72 |
inet6 fe80::fc54:ff:fe25:c4f1 prefixlen 64 scopeid 0x20<link> |
73 |
ether fe:54:00:25:c4:f1 txqueuelen 1000 (Ethernet) |
74 |
RX packets 7380 bytes 1765860 (1.6 MiB) |
75 |
RX errors 0 dropped 0 overruns 0 frame 0 |
76 |
TX packets 12284 bytes 16302650 (15.5 MiB) |
77 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
78 |
|
79 |
vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 |
80 |
inet6 fe80::fc54:ff:fead:3e09 prefixlen 64 scopeid 0x20<link> |
81 |
ether fe:54:00:ad:3e:09 txqueuelen 1000 (Ethernet) |
82 |
RX packets 6827 bytes 14043836 (13.3 MiB) |
83 |
RX errors 0 dropped 0 overruns 0 frame 0 |
84 |
TX packets 8503 bytes 578811 (565.2 KiB) |
85 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
86 |
|
87 |
vnet2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 |
88 |
inet6 fe80::fc54:ff:fe85:d7de prefixlen 64 scopeid 0x20<link> |
89 |
ether fe:54:00:85:d7:de txqueuelen 1000 (Ethernet) |
90 |
RX packets 2086 bytes 195061 (190.4 KiB) |
91 |
RX errors 0 dropped 0 overruns 0 frame 0 |
92 |
TX packets 3019 bytes 1392073 (1.3 MiB) |
93 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
94 |
|
95 |
vnet3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 |
96 |
inet6 fe80::fc54:ff:fe26:2827 prefixlen 64 scopeid 0x20<link> |
97 |
ether fe:54:00:26:28:27 txqueuelen 1000 (Ethernet) |
98 |
RX packets 4214 bytes 235337 (229.8 KiB) |
99 |
RX errors 0 dropped 0 overruns 0 frame 0 |
100 |
TX packets 4928 bytes 12406927 (11.8 MiB) |
101 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
102 |
|
103 |
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 |
104 |
inet 192.168.0.221 netmask 255.255.255.0 broadcast 192.168.0.255 |
105 |
inet6 fe80::bb8a:5532:d794:f463 prefixlen 64 scopeid 0x20<link> |
106 |
ether 48:a4:72:f3:37:c5 txqueuelen 1000 (Ethernet) |
107 |
RX packets 392071 bytes 549678001 (524.2 MiB) |
108 |
RX errors 0 dropped 0 overruns 0 frame 0 |
109 |
TX packets 208071 bytes 23596361 (22.5 MiB) |
110 |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
111 |
|
112 |
|
113 |
|
114 |
where virbr0 is default external network interface for virtual machines, virbr1 is whonix external network for gateway, virbr2 is whonix internal network
|
115 |
|
116 |
Should I create tap interface to be able to allow only Whonix-Gateway access the internet? How iptables rules should look? |
117 |
|
118 |
|
119 |
|
120 |
|
121 |
|
122 |
|