Iptables - having a hard time

User Support
1

I have been trying to reach a service in an AppVM from my sys-whonix:

I followed the how-to under “4. Allow packets into the qube to reach the service”:

sudo su
iptables -w -A testrun -j ACCEPT
iptables -w -I INPUT 5 -d ip.of.sys.whonix -p tcp --dport 8000 -m conntrack --ctstate NEW -j testrun

Then on the AppVM:

nc -lvnp 8000

and on sys-whonix:

curl http://ip.of.app.vm:8000
curl: (7) Couldn't connect to server

Now, iptables and I haven’t had a history of friendship with each other, kind of a cruel mistress I would say. But I wonder if the instructions in the how-to are faulty? Why do we use
--dport and -d? Shouldn’t that be --sport and -s?

Can anyone offer a helping hand?

2

And I do not understand why the how-to is speaking about 10.137.1.x and 10.137.2.x. None of the interfaces in sys-net, sys-firewall, sys-whonix and the appvm are holding a 10.137.1.x or 10.137.2.x IP-address. Neither are there any routes for 1.x or 2.x. I used ip -br a and ip r to check for them.

3

Sorry for talking to myself, would love if anybody joined, but one reason which further enhances the difficulty in this setup:

curl on the whonix-gw is a bash script pointing towards /usr/libexec/uwt/uwtwrapper which doesn’t help while debugging.

4

These are examples - it’s expected that you will adjust them to
match the specifics of your case.

1 Like
5

It does work, now. Hope this post might help someone.

On AppVM allow incoming packets for port 8000:

sudo su
iptables -w -A testrun -j ACCEPT
iptables -w -I INPUT 5 -d ip.of.app.vm -p tcp --dport 8000 -m conntrack --ctstate NEW -j testrun

On AppVM:

python3 -m http.server 8000

On a different AppVM connected to sys-whonix or on the original AppVM in a second terminal:

curl http://someonionv3addresssomeonionv3address.onion:8000

Please note that -d indicates where the traffic wants to go, which is not sys-whonix’s but AppVm’s IP.

1 Like
6

I don’t use Whonix .
I doubt that it’s intended that you use the gw for anything, not
already configured. But these sound like Whonix issues,best raised
over at the Whonix forums.