Whonix · DanWin · Oct 11, 2024 · Oct 28, 2024 · Dec 8, 2024 · Dec 8, 2024
diff --git a/usr/bin/whonix-gateway-firewall b/usr/bin/whonix-gateway-firewall
@@ -107,7 +107,7 @@ variables_defaults() {
       ## drop-in configuration snippet in /etc/whonix_firewall.d
       ## configuration folder instead.
       NON_TOR_GATEWAY="\
-            127.0.0.0/24 \
+            127.0.0.0/8 \
             192.168.0.0/24 \
             192.168.1.0/24 \
             10.152.152.0/24 \
@@ -116,11 +116,31 @@ variables_defaults() {
     fi
   fi
 
+  if [ -z "${NON_TOR_GATEWAY_IP6:-}" ]; then
+    if test -f /usr/share/qubes/marker-vm; then
+      NON_TOR_GATEWAY_IP6=""
+    else
+      ## 10.0.2.2/24: VirtualBox DHCP
+      ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a
+      ## drop-in configuration snippet in /etc/whonix_firewall.d
+      ## configuration folder instead.
+      NON_TOR_GATEWAY_IP6="\
+            ::1/128 \
+            fd19:c33d:88bc::0/96 \
+            ::ffff:127.0.0.0/104 \
+            ::ffff:192.168.0.0/120 \
+            ::ffff:192.168.1.0/120 \
+            ::ffff:10.152.152.0/120 \
+            ::ffff:10.0.2.2/120 \
+         "
+    fi
+  fi
+
   ## Destinations you do not routed through VPN, only for Whonix-Gateway.
   if [ -z "${LOCAL_NET:-}" ]; then
     if test -f /usr/share/qubes/marker-vm; then
       LOCAL_NET="\
-            127.0.0.0/24 \
+            127.0.0.0/8 \
             10.137.0.0/16 \
             10.138.0.0/16 \
          "
@@ -130,7 +150,7 @@ variables_defaults() {
       ## drop-in configuration snippet in /etc/whonix_firewall.d
       ## configuration folder instead.
       LOCAL_NET="\
-            127.0.0.0/24 \
+            127.0.0.0/8 \
             192.168.0.0/24 \
             192.168.1.0/24 \
             10.152.152.0/24 \
@@ -139,6 +159,35 @@ variables_defaults() {
     fi
   fi
 
+
+  ## Destinations you do not routed through VPN, only for Whonix-Gateway.
+  if [ -z "${LOCAL_NET_IP6:-}" ]; then
+    if test -f /usr/share/qubes/marker-vm; then
+      LOCAL_NET_IP6="\
+            ::1/128 \
+            fd09:24ef:4179::a8a:/112 \
+            fd09:24ef:4179::a89:/112 \
+            ::ffff:127.0.0.0/104 \
+            ::ffff:10.137.0.0/112 \
+            ::ffff:10.138.0.0/112 \
+         "
+    else
+      ## 10.0.2.2/24: VirtualBox DHCP
+      ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a
+      ## drop-in configuration snippet in /etc/whonix_firewall.d
+      ## configuration folder instead.
+      LOCAL_NET_IP6="\
+            ::1/128 \
+            fd19:c33d:88bc::0/96 \
+            ::ffff:127.0.0.0/104 \
+            ::ffff:192.168.0.0/120 \
+            ::ffff:192.168.1.0/120 \
+            ::ffff:10.152.152.0/120 \
+            ::ffff:10.0.2.2/120 \
+         "
+    fi
+  fi
+
   if [ -z "${WORKSTATION_DEST_SOCKSIFIED:-}" ]; then
     ## 10.152.152.10 - Non-Qubes-Whonix-Gateway IP
     ##
@@ -153,18 +202,38 @@ variables_defaults() {
         10.138.0.0/16 \
         10.152.152.10 \
       "
+    else
+      ## Non-Qubes-Whonix:
+      ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a
+      ## drop-in configuration snippet in /etc/whonix_firewall.d
+      ## configuration folder instead.
+      WORKSTATION_DEST_SOCKSIFIED="10.152.152.10"
+    fi
+  fi
+
+  if [ -z "${WORKSTATION_DEST_SOCKSIFIED_IPV6:-}" ]; then
+    ## fd19:c33d:88bc::10 - Non-Qubes-Whonix-Gateway IP
+    ##
+    ## fd09:24ef:4179::a89/112  - persistent Qubes-Whonix-Gateway IP range
+    ## fd09:24ef:4179::a8a/112  - DispVM Qubes-Whonix-Gateway IP range
-    ## fd09:24ef:4179::a89/112  - persistent Qubes-Whonix-Gateway IP range
-    ## fd09:24ef:4179::a8a/112  - DispVM Qubes-Whonix-Gateway IP range
+    ## fd09:24ef:4179::a89:/112  - persistent Qubes-Whonix-Gateway IP range
+    ## fd09:24ef:4179::a8a:/112  - DispVM Qubes-Whonix-Gateway IP range
-    ## fd09:24ef:4179::a89/112  - persistent Qubes-Whonix-Gateway IP range
-    ## fd09:24ef:4179::a8a/112  - DispVM Qubes-Whonix-Gateway IP range
+    ## fd09:24ef:4179::a89:/112  - persistent Qubes-Whonix-Gateway IP range
+    ## fd09:24ef:4179::a8a:/112  - DispVM Qubes-Whonix-Gateway IP range
+    if test -f /usr/share/qubes/marker-vm; then
+      ## https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/16
+      ## Qubes-Whonix:
+      ## IP HARDCODED. IP 10.152.152.10 is hardcoded in some places.
       WORKSTATION_DEST_SOCKSIFIED_IPV6="\
+        fd09:24ef:4179::a8a:/112 \
+        fd09:24ef:4179::a89:/112 \
         ::ffff:10.137.0.0/112 \
         ::ffff:10.139.0.0/112 \
         ::ffff:10.152.152.10 \
+        fd19:c33d:88bc::10 \
       "
     else
       ## Non-Qubes-Whonix:
       ## IP HARDCODED. If you want to change IP, set variable GATEWAY_IP through a
       ## drop-in configuration snippet in /etc/whonix_firewall.d
       ## configuration folder instead.
-      WORKSTATION_DEST_SOCKSIFIED="10.152.152.10"
-      WORKSTATION_DEST_SOCKSIFIED_IPV6="::ffff:10.152.152.10"
+      WORKSTATION_DEST_SOCKSIFIED_IPV6="fd19:c33d:88bc::10"
     fi
   fi
 }
@@ -242,8 +311,9 @@ nft_output() {
       local non_tor_gateway_item
       for non_tor_gateway_item in $NON_TOR_GATEWAY; do
         $nftables_cmd add rule inet nat output ip daddr "$non_tor_gateway_item" counter return
-        $nftables_cmd add rule inet nat output ip6 daddr "::ffff:$non_tor_gateway_item" counter return
-        ## TODO: IPv6 test
+      done
+      for non_tor_gateway_item in $NON_TOR_GATEWAY_IP6; do
+        $nftables_cmd add rule inet nat output ip6 daddr "$non_tor_gateway_item" counter return
       done
     fi
 
@@ -257,6 +327,9 @@ nft_output() {
   ## Existing connections are accepted.
   $nftables_cmd add rule inet filter output ct state established counter accept
 
+  # Accept ICMPv6 neighbor discovery.
+  $nftables_cmd add rule inet filter output icmpv6 type "{ nd-neighbor-solicit, nd-neighbor-advert }" counter accept
+
   if [ "$firewall_mode" = "full" ]; then
     ## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
     ## unless VPN_FIREWALL mode is enabled.
@@ -265,8 +338,9 @@ nft_output() {
       local non_tor_gateway_item
       for non_tor_gateway_item in $NON_TOR_GATEWAY; do
         $nftables_cmd add rule inet filter output ip daddr "$non_tor_gateway_item" counter accept
-        $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$non_tor_gateway_item" counter accept
-        ## TODO: IPv6 test
+      done
+      for non_tor_gateway_item in $NON_TOR_GATEWAY_IP6; do
+        $nftables_cmd add rule inet filter output ip6 daddr "$non_tor_gateway_item" counter accept
       done
     fi
   fi
@@ -279,8 +353,9 @@ nft_output() {
       local local_net_item
       for local_net_item in $LOCAL_NET; do
         $nftables_cmd add rule inet filter output ip daddr "$local_net_item" counter accept
-        $nftables_cmd add rule inet filter output ip6 daddr "::ffff:$local_net_item" counter accept
-        ## TODO: IPv6 test
+      done
+      for local_net_item in $LOCAL_NET_IP6; do
+        $nftables_cmd add rule inet filter output ip6 daddr "$local_net_item" counter accept
       done
     fi
   fi
@@ -369,7 +444,9 @@ INTERNAL_OPEN_PORTS
 INT_IF
 INT_TIF
 LOCAL_NET
+LOCAL_NET_IP6
 NON_TOR_GATEWAY
+NON_TOR_GATEWAY_IP6
 NO_NAT_USERS
 NO_REJECT_INVALID_OUTGOING_PACKAGES
 OR_PORT

diff --git a/usr/bin/whonix-host-firewall b/usr/bin/whonix-host-firewall
@@ -14,13 +14,15 @@ variables_defaults(){
 
   ## 10.0.2.2/24: VirtualBox DHCP
   [ -n "${NON_TOR_GATEWAY:-}" ] || NON_TOR_GATEWAY="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8 10.152.152.0/24 10.0.2.2/24"
+  [ -n "${NON_TOR_GATEWAY_IP6:-}" ] || NON_TOR_GATEWAY_IP6="::1/128 fd19:c33d:88bc::0/96 ::ffff:192.168.1.0/120 ::ffff:192.168.0.0/120 ::ffff:127.0.0.0/104 ::ffff:10.152.152.0/120 ::ffff:10.0.2.2/120"
 
   ## Space separated list of VPN servers, which Whonix-Gateway is allowed to connect to.
   [ -n "${VPN_SERVERS:-}" ] || VPN_SERVERS="198.252.153.26"
 
   ## Destinations you do not routed through VPN, only for Whonix-Gateway.
   ## 10.0.2.2/24: VirtualBox DHCP
   [ -n "${LOCAL_NET:-}" ] || LOCAL_NET="192.168.1.0/24 192.168.0.0/24 127.0.0.0/8 10.152.152.0/24 10.0.2.2/24"
+  [ -n "${LOCAL_NET_IP6:-}" ] || LOCAL_NET_IP6="::1/128 fd19:c33d:88bc::0/96 ::ffff:192.168.1.0/120 ::ffff:192.168.0.0/120 ::ffff:127.0.0.0/104 ::ffff:10.152.152.0/120 ::ffff:10.0.2.2/120"
 
   [ -n "${GATEWAY_ALLOW_INCOMING_RELATED_STATE:-}" ] || GATEWAY_ALLOW_INCOMING_RELATED_STATE=""
   [ -n "${GATEWAY_ALLOW_INCOMING_ICMP:-}" ] || GATEWAY_ALLOW_INCOMING_ICMP=0
@@ -90,7 +92,7 @@ nft_output(){
     ## when VPN_FIREWALL mode is enabled.
     ## DISABLED BY DEFAULT.
     for SERVER in $VPN_SERVERS; do
-      $nftables_cmd add rule inet filter output ip daddr "$SERVER" counter jump accept
+      $nftables_cmd add rule inet filter output inet daddr "$SERVER" counter jump accept
     done
   else
     ## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
@@ -99,6 +101,9 @@ nft_output(){
     for NET in $NON_TOR_GATEWAY; do
       $nftables_cmd add rule inet filter output ip daddr "$NET" counter jump accept
     done
+    for NET in $NON_TOR_GATEWAY_IP6; do
+      $nftables_cmd add rule inet filter output ip6 daddr "$NET" counter jump accept
+    done
   fi
 
   ## clearnet user is allowed to connect any outside target.