I want to know how whonix manages to block unwanted UDP-Traffic i.e. all UDP-traffic but DNS related udp traffic. I looked at the iptable rules both in the Workstation and Gateway. There are no iptable rules in the Workstation. So the Workstation doesn't seem to block UDP-Traffic. However, there are many ip-table rules in the Gateway.
I went through the iptable rules of the Gateway one-by-one but I couldn't find any udp-related blocking rule either.
So, how is this udp-traffic blocked?
Answering this from perspective of Whonix 8. Links point to Whonix 8 source code.
Generally Whonix's firewalls are white listing firewalls. This means, they use policy drop for all chains (input, forward, output) and a drop or reject rule as last rule. All traffic that is not explicitly white listed will be dropped or rejected (depending on chain).
Whonix-Workstation firewall is unrelated here. It's an non-mandatory optional firewall, that is disabled by default. See its man page for deeper explanation.
If you were to use it, the following rule with enforce, that only TCP can leave.
## The next rule ensures, that only tcp can leave and achieves the desired result from (4).
iptables -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
Generally speaking, -p tcp would mean "only TCP". And ! -p tcp here means all protocols besides TCP.
Whonix-Gateway firewall is the mandatory important piece here.
It white lists traffic UDP traffic to port 53 (DNS) and redirects it to Tor's DnsPort. Search the firewall script for -p udp --dport 53 to see the related rules. Other traffic it white lists and redirects is TCP. Rest is blocked thanks to policy drop (as safety net) and/or dropped/rejected by last rule (depending on chain).
Depending on chain... Before someone asks what I mean by that.
Full disclosure:
I am a maintainer of Whonix.
