proxy_role/overlay/Linux/etc/firewall.conf.whonix

233 lines
11 KiB
Plaintext
Raw Normal View History

2024-01-06 01:57:28 +00:00
# firewall.conf.new.9
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
#D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
# was ! -o lo - -o wlan6
# let resolve.conf redirect to lo - this rule cannot be removed
#-A OUTPUT -o wlan6 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
#-A OUTPUT -o wlan6 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
# .onion mapped addresses redirection to Tor.
###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
#D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid
# blocks wlan
-A INPUT -s 217.182.196.70 -p tcp -j DROP
-A INPUT -s 185.213.20.105 -p tcp -j DROP
-A INPUT -s 185.32.222.237 -p tcp -j DROP
-A INPUT -s 92.223.105.174 -p tcp -j DROP
-A INPUT -s 195.201.168.111 -p tcp -j DROP
-A INPUT -s 51.15.115.217 -p tcp -j DROP
-A INPUT -s 89.163.224.33 -p tcp -j DROP
-A INPUT -s 130.193.15.49 -p tcp -j DROP
-A INPUT -s 95.216.19.207 -p tcp -j DROP
-A INPUT -s 176.158.122.84 -p tcp -j DROP
-A INPUT -s 80.66.135.13 -p tcp -j DROP
-A INPUT -s 176.9.118.73 -p tcp -j DROP
-A INPUT -s 109.236.90.209 -p tcp -j DROP
-A INPUT -s 51.79.22.224 -m tcp -p tcp -j DROP
-A INPUT -s 37.191.192.147 -m tcp -p tcp -j DROP
-A INPUT -s 5.1.56.52 -m tcp -p tcp -j DROP
-A INPUT -s 5.39.72.2 -m tcp -p tcp -j DROP
-A INPUT -s 51.38.81.39 -m tcp -p tcp -j DROP
-A INPUT -s 136.243.4.139 -m tcp -p tcp -j DROP
-A INPUT -s 95.211.136.23 -m tcp -p tcp -j DROP
## DROP INVALID
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
## DROP INVALID SYN PACKETS
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
### this is required for outgoing pings
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i wlan6 -p icmp -j ACCEPT
#!-A INPUT -i wlan6 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
#!-A INPUT -i wlan6 -m udp -p udp --sport 123 -m owner --gid-owner 226 -j ACCEPT
#!-A INPUT -i wlan6 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 216 -j ACCEPT
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 1 -j ACCEPT
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 115 -j ACCEPT
### let dhcp through?
#?-A INPUT -p udp --sport 68 -j ACCEPT
#?-A INPUT -p udp --sport 67 -j ACCEPT
-A INPUT -i wlan6 -p udp --sport 137 -j DROP
-A INPUT -i wlan6 -p udp --sport 138 -j DROP
-A INPUT -i wlan6 -p udp --sport 139 -j DROP
### this is required for outgoing pings
-A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i virbr1 -p icmp -j ACCEPT
-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT
-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT
-A INPUT -i virbr1 -p tcp --sport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 9040 -j ACCEPT
-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: "
-A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT
-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: "
-A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT
-A INPUT -i virbr1 -p udp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: "
-A INPUT -i virbr1 -p udp --sport 7001 -j ACCEPT
#D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
#D#-A INPUT -j DROP
##-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid
##-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
#? WHY?!
##-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
##-A OUTPUT -d 10.16.238.0/24 -j ACCEPT
##-A OUTPUT -d 10.152.152.0/24 -j ACCEPT
##-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT
-A OUTPUT -o wlan6 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
-A OUTPUT -o wlan6 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o wlan6 -m owner --gid-owner 216 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 115 -j ACCEPT
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o virbr1 -p icmp -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 9040 -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT
-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: "
-A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: "
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
# blocks virbr1
-A LIBVIRT_FWI -s 217.182.196.70 -p tcp -j DROP
-A LIBVIRT_FWI -s 185.213.20.105 -p tcp -j DROP
-A LIBVIRT_FWI -s 185.32.222.237 -p tcp -j DROP
-A LIBVIRT_FWI -s 92.223.105.174 -p tcp -j DROP
-A LIBVIRT_FWI -s 195.201.168.111 -p tcp -j DROP
-A LIBVIRT_FWI -s 51.15.115.217 -p tcp -j DROP
-A LIBVIRT_FWI -s 89.163.224.33 -p tcp -j DROP
-A LIBVIRT_FWI -s 130.193.15.49 -p tcp -j DROP
-A LIBVIRT_FWI -s 95.216.19.207 -p tcp -j DROP
-A LIBVIRT_FWI -s 176.158.122.84 -p tcp -j DROP
-A LIBVIRT_FWI -s 80.66.135.13 -p tcp -j DROP
-A LIBVIRT_FWI -s 176.9.118.73 -p tcp -j DROP
-A LIBVIRT_FWI -s 109.236.90.209 -p tcp -j DROP
-A LIBVIRT_FWI -s 51.79.22.224 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 37.191.192.147 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 5.1.56.52 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 5.39.72.2 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 51.38.81.39 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 136.243.4.139 -m tcp -p tcp -j DROP
-A LIBVIRT_FWI -s 95.211.136.23 -m tcp -p tcp -j DROP
# Drop any TCP Acknowlegements they are not needed an they trigger the logs
# https://serverfault.com/questions/578735/for-what-is-a-general-allow-ack-rule-in-iptables-good-for
# This creates a hole in the firewall big enough to portscan through;
# nmap even has a flag to do an ACK scan which this rule will permit. Michael Hampton
# -A LIBVIRT_FWI -i wlan6 -m tcp -p tcp --tcp-flags ACK ACK -j DROP
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
# FixMe: sic this is what libvirt did -i --dport
# FixMe: I will disable them as I dont think theyre needed
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT
-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
-A OUTPUT -j DROP
COMMIT
# Completed on Wed Nov 4 01:14:37 2020
# Whonix firewall for wlan6 10.16.238.64 10.16.238.64/24 LIBVIRT_FW=1
# WORKS with Gateway tor - ssh