For example onionshare binds its webserver on 127.0.0.1.
That cannot work because it needs to bind on the external IP.
Approaches:
- a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.
- b) Some solution using bindp.
BIND_ADDR="10.137.6.41" LD_PRELOAD=/home/user/bindp/libindp.so onionshare a
(tested to work)
Not great, not generic.
- c) An iptables based solution that requires net.ipv4.conf.all.route_localnet=1.
What are the security implications of net.ipv4.conf.eth0.route_localnet=1 / route_localnet?
http://security.stackexchange.com/questions/137602/what-are-the-security-implications-of-net-ipv4-conf-eth0-route-localnet-1-rout
https://www.whonix.org/wiki/Dev/Port_Redirection
Not great, not generic.
- d)
socat TCP-LISTEN:17600,bind=10.137.6.41,fork TCP:127.0.0.1:17600
- Loads of socat listeners. At some point they could even eat too much RAM if they become too many.
- Could be made conditional by only loading these listeners if onionshare is installed. (Not great when installed inside template and not all Whonix-Workstations use onionshare.)
- EDIT: Perhaps not that many socat listeners by using systemd socket activation.
- related: port anon-ws-disable-stacked-tor to systemd socket activation T623
- e) something better?
(EDIT)
- f) write draft for local listener standard on debian-devel T635