first

overlay/Linux/etc/firewall.conf.block

@@ -0,0 +1,13 @@
+# Add your spoofed IP range/IPs here
+0.0.0.0/8
+127.0.0.0/8
+10.0.0.0/8
+172.16.0.0/12
+192.168.0.0/16
+224.0.0.0/3
+#
+51.79.22.224/32
+37.191.192.147/32
+5.1.56.52/32
+5.39.72.2/32
+71.143.196.76/32

overlay/Linux/etc/firewall.conf.blocks.dig

@@ -0,0 +1,143 @@
+
+; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 95.211.136.23
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31931
+;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;23.136.211.95.in-addr.arpa.	IN	PTR
+
+;; Query time: 1282 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 11 07:40:43 UTC 2020
+;; MSG SIZE  rcvd: 44
+
+
+; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 51.79.22.224
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64446
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;224.22.79.51.in-addr.arpa.	IN	PTR
+
+;; ANSWER SECTION:
+REVERSE[224.22.79.51.in-addr.arpa]. 60 IN PTR	ip224.ip-51-79-22.net.
+
+;; Query time: 1 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 11 07:45:05 UTC 2020
+;; MSG SIZE  rcvd: 112
+
+
+; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 37.191.192.147
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21844
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;147.192.191.37.in-addr.arpa.	IN	PTR
+
+;; ANSWER SECTION:
+147.192.191.37.in-addr.arpa. 3261 IN	PTR	host-37-191-192-147.lynet.no.
+
+;; Query time: 0 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 11 07:45:05 UTC 2020
+;; MSG SIZE  rcvd: 98
+
+
+; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 5.1.56.52
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13766
+;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;52.56.1.5.in-addr.arpa.		IN	PTR
+
+;; Query time: 192 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 11 07:45:05 UTC 2020
+;; MSG SIZE  rcvd: 40
+
+
+; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 5.39.72.2
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59857
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;2.72.39.5.in-addr.arpa.		IN	PTR
+
+;; ANSWER SECTION:
+2.72.39.5.in-addr.arpa.	3335	IN	PTR	ns3065363.ip-5-39-72.eu.
+
+;; Query time: 0 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 11 07:45:05 UTC 2020
+;; MSG SIZE  rcvd: 88
+
+
+; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 51.38.81.39
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24210
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;39.81.38.51.in-addr.arpa.	IN	PTR
+
+;; ANSWER SECTION:
+39.81.38.51.in-addr.arpa. 3336	IN	PTR	vps-87b023ab.vps.ovh.net.
+
+;; Query time: 0 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 11 07:45:05 UTC 2020
+;; MSG SIZE  rcvd: 91
+
+
+; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 136.243.4.139
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25018
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;139.4.243.136.in-addr.arpa.	IN	PTR
+
+;; ANSWER SECTION:
+139.4.243.136.in-addr.arpa. 3336 IN	PTR	static.139.4.243.136.clients.your-server.de.
+
+;; Query time: 0 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 11 07:45:05 UTC 2020
+;; MSG SIZE  rcvd: 112
+
+
+; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 95.211.136.23
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23102
+;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
+
+;; QUESTION SECTION:
+;23.136.211.95.in-addr.arpa.	IN	PTR
+
+;; Query time: 192 msec
+;; SERVER: 127.0.0.1#53(127.0.0.1)
+;; WHEN: Fri Dec 11 07:45:05 UTC 2020
+;; MSG SIZE  rcvd: 44
+

overlay/Linux/etc/firewall.conf.gateway

@@ -0,0 +1,134 @@
+# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:39 2020
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A INPUT -f -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 9053 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 9128 -j ACCEPT
+-A INPUT -i eth1 -p udp -m udp --dport 5300 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9040 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9051 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9124 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9104 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9111 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9117 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9107 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9123 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9105 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9103 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9101 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9122 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9121 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9120 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9113 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9112 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9118 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9108 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9106 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9100 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9150 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9115 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9116 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9102 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9119 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9050 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9109 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9110 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9114 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp --dport 9125 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m multiport --dports 9152:9189 -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT
+-A INPUT -j DROP
+-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
+-A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.0.24 -j ACCEPT
+-A OUTPUT -m iprange --dst-range 192.168.1.0-192.168.1.24 -j ACCEPT
+-A OUTPUT -m iprange --dst-range 10.152.152.0-10.152.152.24 -j ACCEPT
+-A OUTPUT -m iprange --dst-range 10.0.2.2-10.0.2.24 -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m owner --uid-owner 108 -j ACCEPT
+-A OUTPUT -m owner --uid-owner 106 -j ACCEPT
+-A OUTPUT -m owner --uid-owner 105 -j ACCEPT
+-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
+COMMIT
+# Completed on Sat Dec 12 13:40:40 2020
+# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:40 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9051 -j REDIRECT --to-ports 9051
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125
+-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9152:9189 -j REDIRECT
+-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300
+-A PREROUTING -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
+-A OUTPUT -m owner --uid-owner 108 -j RETURN
+-A OUTPUT -m owner --uid-owner 106 -j RETURN
+-A OUTPUT -m owner --uid-owner 105 -j RETURN
+-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN
+-A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.0.24 -j RETURN
+-A OUTPUT -m iprange --dst-range 192.168.1.0-192.168.1.24 -j RETURN
+-A OUTPUT -m iprange --dst-range 10.152.152.0-10.152.152.24 -j RETURN
+-A OUTPUT -m iprange --dst-range 10.0.2.2-10.0.2.24 -j RETURN
+COMMIT
+# Completed on Sat Dec 12 13:40:40 2020
+# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:40 2020
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Sat Dec 12 13:40:40 2020

overlay/Linux/etc/firewall.conf.host

@@ -0,0 +1,183 @@
+# -*-mode: conf[Space]; tab-width: 8; coding: utf-8-unix -*-
+# firewall.bash.libvirt.9
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+#D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
+-A POSTROUTING -j LIBVIRT_PRT
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+# was ! -o lo - -o wlan4
+# let resolve.conf redirect to lo - this rule cannot be removed
+#-A OUTPUT -o wlan4 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
+#-A OUTPUT -o wlan4 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
+
+# .onion mapped addresses redirection to Tor.
+###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040
+## Log.
+#D-A INPUT -j LOG --log-prefix "iptables_nat_END-i: " --log-uid
+-A POSTROUTING -j LIBVIRT_PRT
+-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
+-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
+COMMIT
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:LIBVIRT_FWI - [0:0]
+:LIBVIRT_FWO - [0:0]
+:LIBVIRT_FWX - [0:0]
+:LIBVIRT_INP - [0:0]
+:LIBVIRT_OUT - [0:0]
+
+#D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid
+# blocks
+-A INPUT -i wlan6 -s 5.1.56.52 -p tcp -j DROP
+-A INPUT -i wlan6 -s 5.39.72.2 -p tcp -j DROP
+-A INPUT -i wlan4 -s 37.191.192.147 -p tcp -j DROP
+-A INPUT -i wlan4 -s 51.79.22.224 -p tcp -j DROP
+
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
+-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A INPUT -f -j DROP
+-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+### this is required for outgoing pings
+-A INPUT -i wlan4 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
+-A INPUT -i wlan4 -p icmp -j ACCEPT
+
+# these are NOT needed
+#!-A INPUT -i wlan4 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+#!-A INPUT -i wlan4 -m owner --gid-owner 226 -p udp --sport 123 -j ACCEPT
+#!-A INPUT -i wlan4 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+#!-A INPUT -i wlan4 -m owner --uid-owner 0 -p udp --sport 123 -j ACCEPT
+# these are NOT needed
+#!-A INPUT -i wlan4 -p tcp -m owner --gid-owner 1 -j ACCEPT
+# these are NOT needed
+#!-A INPUT -i wlan4 -p tcp -m owner --gid-owner 216 -j ACCEPT
+#?# let dhcp through?
+#?-A INPUT -p udp --sport 68 -j ACCEPT
+#?-A INPUT -p udp --sport 67 -j ACCEPT
+-A INPUT -i wlan4 -p udp --sport 137 -j DROP
+-A INPUT -i wlan4 -p udp --sport 138 -j DROP
+-A INPUT -i wlan4 -p udp --sport 139 -j DROP
+### this is required for outgoing pings
+-A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
+-A INPUT -i virbr1 -p icmp -j ACCEPT
+#D#-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
+-A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT
+#D#-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: "
+-A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT
+#D#-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: "
+-A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT
+#D#-A INPUT -i virbr1 -p tcp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: "
+-A INPUT -i virbr1 -p tcp --sport 7001 -j ACCEPT
+#D#-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: "
+-A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT
+#D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
+#D#-A INPUT -j DROP
+-A INPUT -j LIBVIRT_INP
+
+-A FORWARD -j LIBVIRT_FWX
+-A FORWARD -j LIBVIRT_FWI
+-A FORWARD -j LIBVIRT_FWO
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+#D#-A OUTPUT -o wlan4 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
+-A OUTPUT -o wlan4 -p icmp -j ACCEPT
+#?-A OUTPUT -d 10.16.238.81/24 -j ACCEPT
+#?-A OUTPUT -d 10.152.152.0/24 -j ACCEPT
+#?-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
+
+# The ntp user is allowed to connect to services listening on the ntp port...
+# If root runs ntpdate manually you will see requests to port 53 UID=0
+#D#-A OUTPUT -o wlan4 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+-A OUTPUT -o wlan4 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT
+#D#-A OUTPUT -o wlan4 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+-A OUTPUT -o wlan4 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT
+# ssh - specifically forbid ssh out the wlan
+-A OUTPUT -o wlan4 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
+-A OUTPUT -o wlan4 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -o wlan4 -m owner --gid-owner 1 -j ACCEPT
+# necessary and sufficient
+-A OUTPUT -o wlan4 -m owner --gid-owner 216 -j ACCEPT
+#D#-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
+-A OUTPUT -o virbr1 -p icmp -j ACCEPT
+#D#-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT
+#D#-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT
+#D#-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT
+#D#-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT
+#D#-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT
+#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
+#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A OUTPUT -j LIBVIRT_OUT
+-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
+-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
+-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
+-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
+
+-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
+-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
+-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
+
+# FixMe: sic this is what libvirt did -i --dport
+# FixMe: I will disable them as I dont think theyre needed or wanted
+#no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT
+#no
+#no # FixMe:sic this is what libvirt did -i --dport
+#no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT
+#no
+#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT
+#no
+#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT
+-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
+#D#-A OUTPUT -j DROP
+COMMIT
+# Generated Mon 23 Nov 2020 10:02:17 PM UTC
+# Whonix firewall for wlan=wlan4 IP=10.16.238.81 NET=10.16.238.81/24 LIBVIRT_FW=1

overlay/Linux/etc/firewall.conf.vda

@@ -0,0 +1,53 @@
+# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A INPUT -f -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 7001 -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -j DROP
+-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
+-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
+-A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+# Completed on Mon Nov 23 20:47:58 2020
+# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Mon Nov 23 20:47:58 2020
+# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Mon Nov 23 20:47:58 2020

overlay/Linux/etc/firewall.conf.whonix

@@ -0,0 +1,232 @@
+# firewall.conf.new.9
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+#D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
+-A POSTROUTING -j LIBVIRT_PRT
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+# was ! -o lo - -o wlan6
+# let resolve.conf redirect to lo - this rule cannot be removed
+#-A OUTPUT -o wlan6 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
+#-A OUTPUT -o wlan6 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
+
+# .onion mapped addresses redirection to Tor.
+###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040
+
+-A POSTROUTING -j LIBVIRT_PRT
+-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
+-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:LIBVIRT_FWI - [0:0]
+:LIBVIRT_FWO - [0:0]
+:LIBVIRT_FWX - [0:0]
+:LIBVIRT_INP - [0:0]
+:LIBVIRT_OUT - [0:0]
+
+#D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid
+
+# blocks wlan
+-A INPUT -s 217.182.196.70 -p tcp -j DROP
+-A INPUT -s 185.213.20.105 -p tcp -j DROP
+-A INPUT -s 185.32.222.237 -p tcp -j DROP
+-A INPUT -s 92.223.105.174 -p tcp -j DROP
+-A INPUT -s 195.201.168.111 -p tcp -j DROP
+-A INPUT -s 51.15.115.217 -p tcp -j DROP
+-A INPUT -s 89.163.224.33 -p tcp -j DROP
+-A INPUT -s 130.193.15.49 -p tcp -j DROP
+-A INPUT -s 95.216.19.207 -p tcp -j DROP
+-A INPUT -s 176.158.122.84 -p tcp -j DROP
+-A INPUT -s 80.66.135.13 -p tcp -j DROP
+-A INPUT -s 176.9.118.73 -p tcp -j DROP
+-A INPUT -s 109.236.90.209 -p tcp -j DROP
+-A INPUT -s 51.79.22.224 -m tcp -p tcp -j DROP
+-A INPUT -s 37.191.192.147 -m tcp -p tcp -j DROP
+-A INPUT -s 5.1.56.52 -m tcp -p tcp -j DROP
+-A INPUT -s 5.39.72.2 -m tcp -p tcp -j DROP
+-A INPUT -s 51.38.81.39 -m tcp -p tcp -j DROP
+-A INPUT -s 136.243.4.139 -m tcp -p tcp -j DROP
+-A INPUT -s 95.211.136.23 -m tcp -p tcp -j DROP
+
+## DROP INVALID
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m state --state INVALID -j DROP
+
+## DROP INVALID SYN PACKETS
+-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
+-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
+-A INPUT -f -j DROP
+## DROP INCOMING MALFORMED XMAS PACKETS
+-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+## DROP INCOMING MALFORMED NULL PACKETS
+-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+### this is required for outgoing pings
+-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
+-A INPUT -i wlan6 -p icmp -j ACCEPT
+
+#!-A INPUT -i wlan6 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+#!-A INPUT -i wlan6 -m udp -p udp --sport 123 -m owner --gid-owner 226 -j ACCEPT
+#!-A INPUT -i wlan6 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
+#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
+#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 216 -j ACCEPT
+#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 1 -j ACCEPT
+#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 115 -j ACCEPT
+
+### let dhcp through?
+#?-A INPUT -p udp --sport 68 -j ACCEPT
+#?-A INPUT -p udp --sport 67 -j ACCEPT
+-A INPUT -i wlan6 -p udp --sport 137 -j DROP
+-A INPUT -i wlan6 -p udp --sport 138 -j DROP
+-A INPUT -i wlan6 -p udp --sport 139 -j DROP
+### this is required for outgoing pings
+-A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
+-A INPUT -i virbr1 -p icmp -j ACCEPT
+-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
+-A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT
+-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: "
+-A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT
+-A INPUT -i virbr1 -p tcp --sport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-i: "
+-A INPUT -i virbr1 -p tcp --sport 9040 -j ACCEPT
+-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: "
+-A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT
+-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: "
+-A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT
+-A INPUT -i virbr1 -p udp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: "
+-A INPUT -i virbr1 -p udp --sport 7001 -j ACCEPT
+
+#D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
+#D#-A INPUT -j DROP
+##-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid
+##-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
+-A INPUT -j LIBVIRT_INP
+-A FORWARD -j LIBVIRT_FWX
+-A FORWARD -j LIBVIRT_FWI
+-A FORWARD -j LIBVIRT_FWO
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
+-A OUTPUT -o wlan6 -p icmp -j ACCEPT
+## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
+#? WHY?!
+##-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
+##-A OUTPUT -d 10.16.238.0/24 -j ACCEPT
+##-A OUTPUT -d 10.152.152.0/24 -j ACCEPT
+##-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
+
+# The ntp user is allowed to connect to services listening on the ntp port...
+# If root runs ntpdate manually you will see requests to port 53 UID=0
+-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT
+-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT
+-A OUTPUT -o wlan6 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
+-A OUTPUT -o wlan6 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -o wlan6 -m owner --gid-owner 216 -j ACCEPT
+-A OUTPUT -o wlan6 -m owner --gid-owner 115 -j ACCEPT
+-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
+-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
+-A OUTPUT -o virbr1 -p icmp -j ACCEPT
+-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT
+-A OUTPUT -o virbr1 -p tcp --dport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 9040 -j ACCEPT
+-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT
+-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT
+-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: "
+-A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT
+#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
+#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A OUTPUT -j LIBVIRT_OUT
+
+# blocks virbr1
+-A LIBVIRT_FWI -s 217.182.196.70 -p tcp -j DROP
+-A LIBVIRT_FWI -s 185.213.20.105 -p tcp -j DROP
+-A LIBVIRT_FWI -s 185.32.222.237 -p tcp -j DROP
+-A LIBVIRT_FWI -s 92.223.105.174 -p tcp -j DROP
+-A LIBVIRT_FWI -s 195.201.168.111 -p tcp -j DROP
+-A LIBVIRT_FWI -s 51.15.115.217 -p tcp -j DROP
+-A LIBVIRT_FWI -s 89.163.224.33 -p tcp -j DROP
+-A LIBVIRT_FWI -s 130.193.15.49 -p tcp -j DROP
+-A LIBVIRT_FWI -s 95.216.19.207 -p tcp -j DROP
+-A LIBVIRT_FWI -s 176.158.122.84 -p tcp -j DROP
+-A LIBVIRT_FWI -s 80.66.135.13 -p tcp -j DROP
+-A LIBVIRT_FWI -s 176.9.118.73 -p tcp -j DROP
+-A LIBVIRT_FWI -s 109.236.90.209 -p tcp -j DROP
+-A LIBVIRT_FWI -s 51.79.22.224 -m tcp -p tcp -j DROP
+-A LIBVIRT_FWI -s 37.191.192.147 -m tcp -p tcp -j DROP
+-A LIBVIRT_FWI -s 5.1.56.52 -m tcp -p tcp -j DROP
+-A LIBVIRT_FWI -s 5.39.72.2 -m tcp -p tcp -j DROP
+-A LIBVIRT_FWI -s 51.38.81.39 -m tcp -p tcp -j DROP
+-A LIBVIRT_FWI -s 136.243.4.139 -m tcp -p tcp -j DROP
+-A LIBVIRT_FWI -s 95.211.136.23 -m tcp -p tcp -j DROP
+
+# Drop any TCP Acknowlegements they are not needed an they trigger the logs
+# https://serverfault.com/questions/578735/for-what-is-a-general-allow-ack-rule-in-iptables-good-for
+# This creates a hole in the firewall big enough to portscan through; 
+# nmap even has a flag to do an ACK scan which this rule will permit.  Michael Hampton
+# -A LIBVIRT_FWI -i wlan6 -m tcp -p tcp --tcp-flags ACK ACK -j DROP
+
+-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
+-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
+-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
+-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
+-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
+-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
+-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
+# FixMe: sic this is what libvirt did -i --dport
+# FixMe: I will disable them as I dont think theyre needed
+#no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT
+#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT
+#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT
+-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
+-A OUTPUT -j DROP
+COMMIT
+# Completed on Wed Nov  4 01:14:37 2020
+# Whonix firewall for wlan6 10.16.238.64 10.16.238.64/24 LIBVIRT_FW=1
+# WORKS with Gateway tor - ssh
+

overlay/Linux/etc/firewall.conf.ws

@@ -0,0 +1,52 @@
+# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m state --state INVALID -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A INPUT -f -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 7002 -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -j DROP
+-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
+-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
+-A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -j ACCEPT
+-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+# Completed on Mon Nov 23 20:47:58 2020
+# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Mon Nov 23 20:47:58 2020
+# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Mon Nov 23 20:47:58 2020

overlay/Linux/etc/gnupg/gpgconf.conf.tor

@@ -0,0 +1,89 @@
+# -*- mode: conf; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
+# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
+#
+# This is an implementation of the Riseup OpenPGP Best Practices
+# https://help.riseup.net/en/security/message-security/openpgp/best-practices
+#
+
+
+#-----------------------------
+# default key
+#-----------------------------
+
+# The default key to sign with. If this option is not used, the default key is
+# the first key found in the secret keyring
+
+#default-key 0xD8692123C4065DEA5E0F3AB5249B39D24F25E3B6
+
+
+#-----------------------------
+# behavior
+#-----------------------------
+
+# Disable inclusion of the version string in ASCII armored output
+no-emit-version
+
+# Disable comment string in clear text signatures and ASCII armored messages
+no-comments
+
+# Display long key IDs
+keyid-format 0xlong
+
+# List all keys (or the specified ones) along with their fingerprints
+with-fingerprint
+
+# Display the calculated validity of user IDs during key listings
+list-options show-uid-validity
+verify-options show-uid-validity
+
+# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
+# the agent before it asks for a passphrase.
+use-agent
+
+
+#-----------------------------
+# keyserver
+#-----------------------------
+
+# This is the server that --recv-keys, --send-keys, and --search-keys will
+# communicate with to receive keys from, send keys to, and search for keys on
+keyserver hkps://keys.openpgp.org/
+
+# Set the proxy to use for HTTP and HKP keyservers - default to the standard
+# local Tor socks proxy
+# It is encouraged to use Tor for improved anonymity. Preferrably use either a
+# dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and
+# IsolateDestAddr
+keyserver-options http-proxy=http://localhost:3128
+
+# Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846
+# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
+#keyserver-options no-try-dns-srv
+
+# When using --refresh-keys, if the key in question has a preferred keyserver
+# URL, then disable use of that preferred keyserver to refresh the key from
+keyserver-options no-honor-keyserver-url
+
+# When searching for a key with --search-keys, include keys that are marked on
+# the keyserver as revoked
+keyserver-options include-revoked
+
+
+#-----------------------------
+# algorithm and ciphers
+#-----------------------------
+
+# list of personal digest preferences. When multiple digests are supported by
+# all recipients, choose the strongest one
+personal-cipher-preferences AES256 AES192 AES CAST5
+
+# list of personal digest preferences. When multiple ciphers are supported by
+# all recipients, choose the strongest one
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+
+# message digest algorithm used when signing a key
+cert-digest-algo SHA512
+
+# This preference list is used for new keys and becomes the default for
+# "setpref" in the edit menu
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

overlay/Linux/etc/gnupg/gpgconf.conf.whonix

@@ -0,0 +1,89 @@
+# -*- mode: conf; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
+# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
+#
+# This is an implementation of the Riseup OpenPGP Best Practices
+# https://help.riseup.net/en/security/message-security/openpgp/best-practices
+#
+
+
+#-----------------------------
+# default key
+#-----------------------------
+
+# The default key to sign with. If this option is not used, the default key is
+# the first key found in the secret keyring
+
+#default-key 0xD8692123C4065DEA5E0F3AB5249B39D24F25E3B6
+
+
+#-----------------------------
+# behavior
+#-----------------------------
+
+# Disable inclusion of the version string in ASCII armored output
+no-emit-version
+
+# Disable comment string in clear text signatures and ASCII armored messages
+no-comments
+
+# Display long key IDs
+keyid-format 0xlong
+
+# List all keys (or the specified ones) along with their fingerprints
+with-fingerprint
+
+# Display the calculated validity of user IDs during key listings
+list-options show-uid-validity
+verify-options show-uid-validity
+
+# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
+# the agent before it asks for a passphrase.
+use-agent
+
+
+#-----------------------------
+# keyserver
+#-----------------------------
+
+# This is the server that --recv-keys, --send-keys, and --search-keys will
+# communicate with to receive keys from, send keys to, and search for keys on
+keyserver hkps://keys.openpgp.org/
+
+# Set the proxy to use for HTTP and HKP keyservers - default to the standard
+# local Tor socks proxy
+# It is encouraged to use Tor for improved anonymity. Preferrably use either a
+# dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and
+# IsolateDestAddr
+keyserver-options http-proxy=http://localhost:3128
+
+# Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846
+# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
+keyserver-options no-try-dns-srv
+
+# When using --refresh-keys, if the key in question has a preferred keyserver
+# URL, then disable use of that preferred keyserver to refresh the key from
+keyserver-options no-honor-keyserver-url
+
+# When searching for a key with --search-keys, include keys that are marked on
+# the keyserver as revoked
+keyserver-options include-revoked
+
+
+#-----------------------------
+# algorithm and ciphers
+#-----------------------------
+
+# list of personal digest preferences. When multiple digests are supported by
+# all recipients, choose the strongest one
+personal-cipher-preferences AES256 AES192 AES CAST5
+
+# list of personal digest preferences. When multiple ciphers are supported by
+# all recipients, choose the strongest one
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+
+# message digest algorithm used when signing a key
+cert-digest-algo SHA512
+
+# This preference list is used for new keys and becomes the default for
+# "setpref" in the edit menu
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed