Page MenuHomePhabricator
Create Task
Maniphest T272

whonix_firewall script failure
Closed, ResolvedPublic
Actions

Description

Initial build of Whonix 10 is successful, however there are still some configuration options I need to sort out. The first issue I have come across is a firewall startup failure as shown below. Currently looking into what the cause of this error is.

root@host:/usr/lib/qubes-whonix/init# /usr/bin/whonix_firewall
OK: Loading Whonix firewall...
OK: TOR_USER: 105
OK: CLEARNET_USER: 1001
OK: USER_USER: 1000
OK: ROOT_USER: 0
iptables: Chain already exists.
##################################################
Whonix firewall script failed!
##################################################

Details

Impact
Needs Triage

Related Objects

Event Timeline

nrgaway created this task.Apr 22 2015, 10:20 PM
nrgaway raised the priority of this task from to Needs Triage.
nrgaway updated the task description. (Show Details)
nrgaway added projects: qubes-whonix 10, Whonix 10.
nrgaway set Impact to Needs Triage.
nrgaway added subscribers: nrgaway, Patrick, WhonixQubes.
Herald added a project: Whonix. · View Herald TranscriptApr 22 2015, 10:20 PM
Herald added a subscriber: troubadour. · View Herald Transcript
Patrick added a comment.Apr 22 2015, 10:58 PM

Perhaps the script slightly changed and the sed/patching magic doesn't work anymore?

Related to:
T176

nrgaway added a comment.Apr 22 2015, 11:34 PM

Yes, I have identified the section that is causing issues...

This is what is being search for...
## IPv4 DROP INVALID INCOMING PACKAGES

and now there is also:
## IPv4 DROP INVALID INCOMING PACKAGES POST HOOK

Yes, you were correct. Fixed.

You mentioned that I may not need to patch the script for Whonix 10. It does not look like there is a hook in the first location listed above to do so, so I will continue with the patch which consists of:

## --- THE FOLLOWING WS INJECTED ---
##     Qubes Tiny Proxy Updater
iptables -t nat -N PR-QBS-SERVICES
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to 10.137.5.1:53
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to 10.137.5.1:9040

# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
#iptables -t nat -A OUTPUT -s 10.137.5.1 -d 10.137.5.1 -j DNAT --to-destination 127.0.0.1
nrgaway closed this task as Resolved.Apr 22 2015, 11:34 PM
nrgaway claimed this task.
Patrick mentioned this in T176: use GATEWAY_IPv4_DROP_INVALID_INCOMING_PACKAGES_POST_HOOK instead of editing /usr/bin/whonix_firewall.Apr 23 2015, 12:23 AM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer