Gentoo Archives: gentoo-user

From: Hubert Hauser <hubot@××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Allow only traffic from Whonix-Gateway
Date: Mon, 17 Jun 2019 14:18:00
Message-Id: trinity-555fd544-e1d7-459c-a010-484f935f4505-1560472766528@3c-app-mailcom-lxa12
1
2
3
4 I need to allow only traffic from Whonix-Gateway virtual machine and drop the rest on the host. Only allowed traffic on the host are torified system upgrades. I use qemu-kvm for virtualization.
5
6 ifconfig -a output:
7  
8
9
10
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
11 ether 00:d8:61:44:3b:36 txqueuelen 1000 (Ethernet)
12 RX packets 0 bytes 0 (0.0 B)
13 RX errors 0 dropped 0 overruns 0 frame 0
14 TX packets 0 bytes 0 (0.0 B)
15 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
16 device interrupt 18
17
18 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
19 inet 127.0.0.1 netmask 255.0.0.0
20 inet6 ::1 prefixlen 128 scopeid 0x10<host>
21 loop txqueuelen 1000 (Local Loopback)
22 RX packets 500 bytes 42572 (41.5 KiB)
23 RX errors 0 dropped 0 overruns 0 frame 0
24 TX packets 500 bytes 42572 (41.5 KiB)
25 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
26
27 virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
28 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
29 ether d6:89:5d:25:a7:35 txqueuelen 1000 (Ethernet)
30 RX packets 0 bytes 0 (0.0 B)
31 RX errors 0 dropped 0 overruns 0 frame 0
32 TX packets 0 bytes 0 (0.0 B)
33 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
34
35 virbr1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
36 inet 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255
37 ether ba:50:e8:19:d8:e0 txqueuelen 1000 (Ethernet)
38 RX packets 7380 bytes 1662540 (1.5 MiB)
39 RX errors 0 dropped 0 overruns 0 frame 0
40 TX packets 10658 bytes 16217005 (15.4 MiB)
41 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
42
43 virbr2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
44 ether 92:eb:60:36:5b:ec txqueuelen 1000 (Ethernet)
45 RX packets 3 bytes 84 (84.0 B)
46 RX errors 0 dropped 0 overruns 0 frame 0
47 TX packets 120 bytes 5040 (4.9 KiB)
48 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
49
50 virbr0-nic: flags=4098<BROADCAST,MULTICAST> mtu 1500
51 ether 52:54:00:2c:eb:d5 txqueuelen 1000 (Ethernet)
52 RX packets 0 bytes 0 (0.0 B)
53 RX errors 0 dropped 0 overruns 0 frame 0
54 TX packets 0 bytes 0 (0.0 B)
55 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
56
57 virbr1-nic: flags=4098<BROADCAST,MULTICAST> mtu 1500
58 ether 52:54:00:8b:c2:e1 txqueuelen 1000 (Ethernet)
59 RX packets 0 bytes 0 (0.0 B)
60 RX errors 0 dropped 0 overruns 0 frame 0
61 TX packets 0 bytes 0 (0.0 B)
62 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
63
64 virbr2-nic: flags=4098<BROADCAST,MULTICAST> mtu 1500
65 ether 52:54:00:98:1e:82 txqueuelen 1000 (Ethernet)
66 RX packets 0 bytes 0 (0.0 B)
67 RX errors 0 dropped 0 overruns 0 frame 0
68 TX packets 0 bytes 0 (0.0 B)
69 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
70
71 vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
72 inet6 fe80::fc54:ff:fe25:c4f1 prefixlen 64 scopeid 0x20<link>
73 ether fe:54:00:25:c4:f1 txqueuelen 1000 (Ethernet)
74 RX packets 7380 bytes 1765860 (1.6 MiB)
75 RX errors 0 dropped 0 overruns 0 frame 0
76 TX packets 12284 bytes 16302650 (15.5 MiB)
77 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
78
79 vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
80 inet6 fe80::fc54:ff:fead:3e09 prefixlen 64 scopeid 0x20<link>
81 ether fe:54:00:ad:3e:09 txqueuelen 1000 (Ethernet)
82 RX packets 6827 bytes 14043836 (13.3 MiB)
83 RX errors 0 dropped 0 overruns 0 frame 0
84 TX packets 8503 bytes 578811 (565.2 KiB)
85 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
86
87 vnet2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
88 inet6 fe80::fc54:ff:fe85:d7de prefixlen 64 scopeid 0x20<link>
89 ether fe:54:00:85:d7:de txqueuelen 1000 (Ethernet)
90 RX packets 2086 bytes 195061 (190.4 KiB)
91 RX errors 0 dropped 0 overruns 0 frame 0
92 TX packets 3019 bytes 1392073 (1.3 MiB)
93 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
94
95 vnet3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
96 inet6 fe80::fc54:ff:fe26:2827 prefixlen 64 scopeid 0x20<link>
97 ether fe:54:00:26:28:27 txqueuelen 1000 (Ethernet)
98 RX packets 4214 bytes 235337 (229.8 KiB)
99 RX errors 0 dropped 0 overruns 0 frame 0
100 TX packets 4928 bytes 12406927 (11.8 MiB)
101 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
102
103 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
104 inet 192.168.0.221 netmask 255.255.255.0 broadcast 192.168.0.255
105 inet6 fe80::bb8a:5532:d794:f463 prefixlen 64 scopeid 0x20<link>
106 ether 48:a4:72:f3:37:c5 txqueuelen 1000 (Ethernet)
107 RX packets 392071 bytes 549678001 (524.2 MiB)
108 RX errors 0 dropped 0 overruns 0 frame 0
109 TX packets 208071 bytes 23596361 (22.5 MiB)
110 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
111
112  
113
114 where virbr0 is default external network interface for virtual machines, virbr1 is whonix external network for gateway, virbr2 is whonix internal network
115
116 Should I create tap interface to be able to allow only Whonix-Gateway access the internet? How iptables rules should look?
117
118
119
120
121
122