Page MenuHomePhabricator
Create Task
Maniphest T465

refactor socks redirection firewall rules
Closed, ResolvedPublic
Actions

Description

As mentioned in T462, Whonix's socks redirection firewall rules size should be shrinked. Same rules. Less script code.

Code in question:

We can do firewall refactoring with virtually zero risk of changing actual rules by adhering the following instructions:
https://www.whonix.org/wiki/Dev/Firewall_Refactoring

Details

Impact
Normal

Related Objects

Event Timeline

Patrick created this task.Jan 10 2016, 4:45 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: Whonix, whonix-gw-firewall, Whonix 13, refactoring.
Patrick set Impact to Normal.
Patrick added subscribers: nrgaway, marmarek, HulaHoop and 3 others.
Patrick changed the task status from Open to Review.Jan 10 2016, 4:52 PM

https://github.com/Whonix/whonix-gw-firewall/commit/e6ed118ede2bd012f5b869cd4b864262472aa9a9

Patrick added a comment.Jan 12 2016, 11:34 AM

https://github.com/Whonix/whonix-gw-firewall/commit/14c6e5ad3c37022be1acaa19cc327969d46aef27

Patrick added a comment.Jan 12 2016, 8:32 PM

https://github.com/Whonix/whonix-gw-firewall/commit/14c6e5ad3c37022be1acaa19cc327969d46aef27#commitcomment-15395031

https://github.com/Whonix/whonix-gw-firewall/commit/7ef15d52e4d61a80f82df0e02b0b3f3ba21c942d

Patrick added a comment.Apr 21 2016, 9:01 PM

Whonix 13. iptables-save-deterministic

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
:PR-QBS-SERVICES - [0,0]
-A PREROUTING -j PR-QBS-SERVICES
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9052 -j REDIRECT --to-ports 9052
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9152 -j REDIRECT --to-ports 9152
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9153 -j REDIRECT --to-ports 9153
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9154 -j REDIRECT --to-ports 9154
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9155 -j REDIRECT --to-ports 9155
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9156 -j REDIRECT --to-ports 9156
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9157 -j REDIRECT --to-ports 9157
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9158 -j REDIRECT --to-ports 9158
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9159 -j REDIRECT --to-ports 9159
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9160 -j REDIRECT --to-ports 9160
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9161 -j REDIRECT --to-ports 9161
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9162 -j REDIRECT --to-ports 9162
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9163 -j REDIRECT --to-ports 9163
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9164 -j REDIRECT --to-ports 9164
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9165 -j REDIRECT --to-ports 9165
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9166 -j REDIRECT --to-ports 9166
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9167 -j REDIRECT --to-ports 9167
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9168 -j REDIRECT --to-ports 9168
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9169 -j REDIRECT --to-ports 9169
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9170 -j REDIRECT --to-ports 9170
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9171 -j REDIRECT --to-ports 9171
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9172 -j REDIRECT --to-ports 9172
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9173 -j REDIRECT --to-ports 9173
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9174 -j REDIRECT --to-ports 9174
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9175 -j REDIRECT --to-ports 9175
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9176 -j REDIRECT --to-ports 9176
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9177 -j REDIRECT --to-ports 9177
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9178 -j REDIRECT --to-ports 9178
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9179 -j REDIRECT --to-ports 9179
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9180 -j REDIRECT --to-ports 9180
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9181 -j REDIRECT --to-ports 9181
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9182 -j REDIRECT --to-ports 9182
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9183 -j REDIRECT --to-ports 9183
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9184 -j REDIRECT --to-ports 9184
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9185 -j REDIRECT --to-ports 9185
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9186 -j REDIRECT --to-ports 9186
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9187 -j REDIRECT --to-ports 9187
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9188 -j REDIRECT --to-ports 9188
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189
-A PREROUTING -i vif+ -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300
-A PREROUTING -i vif+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -p udp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 127.0.0.1:5400
-A OUTPUT -p tcp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 127.0.0.1:9041
-A OUTPUT -m owner --uid-owner 1002 -j RETURN
-A OUTPUT -m owner --uid-owner 106 -j RETURN
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.138.255.255 -j RETURN
-A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
COMMIT
*filter
:INPUT DROP [0,0]
:FORWARD DROP [0,0]
:OUTPUT DROP [0,0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 5300 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9052 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9124 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9104 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9111 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9117 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9107 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9123 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9105 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9103 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9101 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9122 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9121 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9120 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9113 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9112 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9118 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9108 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9106 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9150 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9115 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9116 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9102 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9119 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9109 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9110 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9114 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9125 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9152:9189 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.138.255.255 -j ACCEPT
-A OUTPUT -m owner --uid-owner 1002 -j ACCEPT
-A OUTPUT -m owner --uid-owner 106 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
COMMIT
Patrick added a comment.Apr 28 2016, 6:11 AM

Whonix 12. iptables-save-deterministic

*mangle
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
COMMIT
*nat
:PREROUTING ACCEPT [0,0]
:INPUT ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:POSTROUTING ACCEPT [0,0]
:PR-QBS-SERVICES - [0,0]
-A PREROUTING -j PR-QBS-SERVICES
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9052 -j REDIRECT --to-ports 9052
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9152 -j REDIRECT --to-ports 9152
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9153 -j REDIRECT --to-ports 9153
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9154 -j REDIRECT --to-ports 9154
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9155 -j REDIRECT --to-ports 9155
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9156 -j REDIRECT --to-ports 9156
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9157 -j REDIRECT --to-ports 9157
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9158 -j REDIRECT --to-ports 9158
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9159 -j REDIRECT --to-ports 9159
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9160 -j REDIRECT --to-ports 9160
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9161 -j REDIRECT --to-ports 9161
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9162 -j REDIRECT --to-ports 9162
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9163 -j REDIRECT --to-ports 9163
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9164 -j REDIRECT --to-ports 9164
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9165 -j REDIRECT --to-ports 9165
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9166 -j REDIRECT --to-ports 9166
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9167 -j REDIRECT --to-ports 9167
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9168 -j REDIRECT --to-ports 9168
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9169 -j REDIRECT --to-ports 9169
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9170 -j REDIRECT --to-ports 9170
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9171 -j REDIRECT --to-ports 9171
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9172 -j REDIRECT --to-ports 9172
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9173 -j REDIRECT --to-ports 9173
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9174 -j REDIRECT --to-ports 9174
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9175 -j REDIRECT --to-ports 9175
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9176 -j REDIRECT --to-ports 9176
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9177 -j REDIRECT --to-ports 9177
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9178 -j REDIRECT --to-ports 9178
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9179 -j REDIRECT --to-ports 9179
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9180 -j REDIRECT --to-ports 9180
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9181 -j REDIRECT --to-ports 9181
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9182 -j REDIRECT --to-ports 9182
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9183 -j REDIRECT --to-ports 9183
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9184 -j REDIRECT --to-ports 9184
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9185 -j REDIRECT --to-ports 9185
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9186 -j REDIRECT --to-ports 9186
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9187 -j REDIRECT --to-ports 9187
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9188 -j REDIRECT --to-ports 9188
-A PREROUTING -i vif+ -p tcp -m tcp --dport 9189 -j REDIRECT --to-ports 9189
-A PREROUTING -i vif+ -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300
-A PREROUTING -i vif+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -p udp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 10.137.3.1:5300
-A OUTPUT -p tcp -m owner --uid-owner 999 -m conntrack --ctstate NEW -j DNAT --to-destination 10.137.3.1:9040
-A OUTPUT -m owner --uid-owner 107 -j RETURN
-A OUTPUT -m owner --uid-owner 1001 -j RETURN
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.137.255.255 -j RETURN
-A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
COMMIT
*filter
:INPUT DROP [0,0]
:FORWARD DROP [0,0]
:OUTPUT DROP [0,0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 5300 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9052 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9101 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9102 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9103 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9104 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9105 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9106 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9107 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9108 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9109 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9110 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9111 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9112 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9113 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9114 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9115 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9116 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9117 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9118 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9119 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9120 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9121 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9122 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9123 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9124 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9125 -j ACCEPT
-A INPUT -i vif+ -p tcp -m tcp --dport 9150 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9152:9159 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9160:9169 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9170:9179 -j ACCEPT
-A INPUT -i vif+ -p tcp -m multiport --dports 9180:9189 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
-A OUTPUT -m iprange --dst-range 10.137.0.0-10.137.255.255 -j ACCEPT
-A OUTPUT -m owner --uid-owner 107 -j ACCEPT
-A OUTPUT -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
COMMIT
Patrick closed this task as Resolved.Apr 28 2016, 6:11 AM
Patrick claimed this task.

The diff looks sane.

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer