[gentoo-user] Allow only traffic from Whonix-Gateway

Hubert Hauser Mon, 17 Jun 2019 07:18:10 -0700

I need to allow only traffic from Whonix-Gateway virtual machine and drop the rest on the host. Only allowed traffic on the host are torified system upgrades. I use qemu-kvm for virtualization.

ifconfig -a output:

eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:d8:61:44:3b:36  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 18


lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 500  bytes 42572 (41.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 500  bytes 42572 (41.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether d6:89:5d:25:a7:35  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.2  netmask 255.255.255.0  broadcast 10.0.2.255
        ether ba:50:e8:19:d8:e0  txqueuelen 1000  (Ethernet)
        RX packets 7380  bytes 1662540 (1.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10658  bytes 16217005 (15.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 92:eb:60:36:5b:ec  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 84 (84.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 120  bytes 5040 (4.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0-nic: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 52:54:00:2c:eb:d5  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr1-nic: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 52:54:00:8b:c2:e1  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr2-nic: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 52:54:00:98:1e:82  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:fe25:c4f1  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:25:c4:f1  txqueuelen 1000  (Ethernet)
        RX packets 7380  bytes 1765860 (1.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12284  bytes 16302650 (15.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:fead:3e09  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:ad:3e:09  txqueuelen 1000  (Ethernet)
        RX packets 6827  bytes 14043836 (13.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8503  bytes 578811 (565.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:fe85:d7de  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:85:d7:de  txqueuelen 1000  (Ethernet)
        RX packets 2086  bytes 195061 (190.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3019  bytes 1392073 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:fe26:2827  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:26:28:27  txqueuelen 1000  (Ethernet)
        RX packets 4214  bytes 235337 (229.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4928  bytes 12406927 (11.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.221  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::bb8a:5532:d794:f463  prefixlen 64  scopeid 0x20<link>
        ether 48:a4:72:f3:37:c5  txqueuelen 1000  (Ethernet)
        RX packets 392071  bytes 549678001 (524.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 208071  bytes 23596361 (22.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

where virbr0 is default external network interface for virtual machines, virbr1 is whonix external network for gateway, virbr2 is whonix internal network

Should I create tap interface to be able to allow only Whonix-Gateway access the internet? How iptables rules should look?

[gentoo-user] Allow only traffic from Whonix-Gateway

Reply via email to