socks proxy at 10.137.0.8:9050 : Qubes | Torhoo darknet markets

127.0.0.1 is your default loopback device IP address in many operating systems, which is a private IP address and if used with ports "9050" or "9150" can route traffic via the Tor network. but sometimes your default loopback device has a different IP address, in your case it is:"10.137.0.8"
there is nothing to worry about, "10.137.0.8" is still a private IP address. and can be used to route traffic via the Tor anonymity network if used with the right ports.
if things I wrote in the above don't make sense to you. it's better to read a few books about networking in Linux operating systems or read some books about the CCNA exam.
good luck!

https://www.qubes-os.org/doc/firewall/ <------- Keep it simple
https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy#AnonymizingMiddlebox
https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/16
https://github.com/QubesOS/qubes-core-admin-addon-whonix/
https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy

usr/bin/whonix-gateway-firewall

Original file line number 	Diff line number 	Diff line change

@@ -184,11 +184,15 @@ variables_defaults() {

## 10.152.152.10 - Non-Qubes-Whonix-Gateway IP

## 10.137.0.0/8- persistent Qubes-Whonix-Gateway IP range

## 10.138.0.0/8- DispVM Qubes-Whonix-Gateway IP range

WORKSTATION_DEST_SOCKSIFIED

usr/bin/whonix-gateway-firewall

Original file line number 	Diff line number 	Diff line change

@@ -186,7 +186,7 @@ variables_defaults() {

## 10.138.0.0/8  - DispVM Qubes-Whonix-Gateway IP range

if command -v "qubesdb-read" >/dev/null 2>&1 ; then

## https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/16

WORKSTATION_DEST_SOCKSIFIED="10.137.0.0/8"

WORKSTATION_DEST_SOCKSIFIED="10.137.0.0/16"

WORKSTATION_DEST_SOCKSIFIED="10.138.0.0/16"

else

WORKSTATION_DEST_SOCKSIFIED="10.152.152.10"

fi

Your VPN Address Pool:

IP local pool VPN 10.137.7.1-10.137.7.200

It cannot overlap the existing IP address ranges. In this case (and most cases) it overlaps with your internal IP range:

IP address inside 10.137.0.1 255.255.248.0

You need to use an unused range. Try:

IP local pool VPN 10.137.17.1-10.137.17.200

I have no idea what your goal is.

Examine: /etc/xen/scripts/vif-route-qube
Look for 10.137.0.8 0.0.0.0 255.255.255.255
Reserved blocks
That address shouldn't be routed through Tor:
That is a private/BOGON address: 10.0.0.0/8

To get your interface you can use ip -o addr

Don't break QubesOS.

grep -r "qubes.UpdatesProxy" /etc/qubes/policy.d/ | grep whonix
Acquire::http::Proxy “http://127.0.0.1:8082”;

What’s the output of these commands in dom0?

qvm-service sys-whonix | grep upd
qvm-features sys-whonix | grep upd

What’s the output of this command in sys-whonix?

sudo systemctl status qubes-updates-proxy-forwarder.socket | cat

# LAN destinations that shouldn't be routed through Tor
_non_tor="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

# Other IANA reserved blocks (These are not processed by tor and dropped by default)
_resv_iana="0.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32"

### Don't lock yourself out after the flush
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT

### Flush iptables
iptables -F
iptables -t nat -F

# nat dns requests to Tor
iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $_dns_port

# Don't nat the Tor process, the loopback, or the local network
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -o lo -j RETURN

# Allow lan access for hosts in $_non_tor
for _lan in $_non_tor; do
iptables -t nat -A OUTPUT -d $_lan -j RETURN
done

# Redirect all other pre-routing and output to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $_trans_port

# Tor transproxy magic
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $_trans_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

# Allow OUTPUT to lan hosts in $_non_tor
# Uncomment these 3 lines to enable.
#for _lan in $_non_tor; do
# iptables -A OUTPUT -d $_lan -j ACCEPT
#done

# Log & Drop everything else. Uncomment to enable logging
#iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
iptables -A OUTPUT -j DROP

### Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

### Set default policies to DROP for IPv6
#ip6tables -P INPUT DROP
#ip6tables -P FORWARD DROP
#ip6tables -P OUTPUT DROP
VirtualAddrNetworkIPv4 10.137.0.8/8
AutomapHostsOnResolve 1
TransPort 192.168.1.1:9040
DNSPort 192.168.1.1:5353

# your internal interface
_inc_if="eth1"

iptables -F
iptables -t nat -F

iptables -t nat -A PREROUTING -i $_inc_if -p udp --dport 53 -j REDIRECT --to-ports 5353
iptables -t nat -A PREROUTING -i $_inc_if -p udp --dport 5353 -j REDIRECT --to-ports 5353
iptables -t nat -A PREROUTING -i $_inc_if -p tcp --syn -j REDIRECT --to-ports $_trans_port
VirtualAddrNetworkIPv4 10.137.0.8/8
AutomapHostsOnResolve 1
TransPort 192.168.1.1:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
TransPort 127.0.0.1:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
DNSPort 192.168.1.1:5353
DNSPort 127.0.0.1:5353
nameserver 127.0.0.1

# Tor's VirtualAddrNetworkIPv4
_virt_addr="10.137.0.8/8"

# Your incoming interface and assigned local IP (Gateway)
_inc_if="eth1"
_inc_ip="192.168.1.1"

### *nat PREROUTING (For middlebox)
iptables -t nat -A PREROUTING -d $_virt_addr -i $_inc_if -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $_trans_port
iptables -t nat -A PREROUTING -i $_inc_if -p udp --dport 53 -j REDIRECT --to-ports $_dns_port

iptables -t nat -A PREROUTING -i $_inc_if -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $_trans_port

### *nat OUTPUT (For local redirection)
# nat .onion addresses
iptables -t nat -A OUTPUT -d $_virt_addr -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $_trans_port

# nat dns requests to Tor
iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $_dns_port

# Don't nat the Tor process, the loopback, or the local network
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -o lo -j RETURN

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Allow DNS lookups from connected clients and internet access through tor.
iptables -A INPUT -d $_inc_ip -i $_inc_if -p udp -m udp --dport $_dns_port -j ACCEPT
iptables -A INPUT -d $_inc_ip -i $_inc_if -p tcp -m tcp --dport $_trans_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

# Log & Drop everything else. Uncomment to enable logging.
#iptables -A INPUT -j LOG --log-prefix "Dropped INPUT packet: " --log-level 7 --log-uid
iptables -A INPUT -j DROP

### *filter FORWARD
iptables -A FORWARD -j DROP

### *filter OUTPUT
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

# Allow Tor process output
iptables -A OUTPUT -o $_out_if -m owner --uid-owner $_tor_uid -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT

# Allow loopback output
iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT

# Log & Drop everything else. Uncomment to enable logging
#iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
iptables -A OUTPUT -j DROP

### Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

### Set default policies to DROP for IPv6
#ip6tables -P INPUT DROP
#ip6tables -P FORWARD DROP
#ip6tables -P OUTPUT DROP
useradd -m anonymous
VirtualAddrNetworkIPv4 10.137.0.8/8
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
/etc/init.d/tor restart
iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT ! -o lo -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonymous -j DROP
echo "nameserver 127.0.0.1" > /etc/resolv.conf
sudo -H -u anonymous irssi
sudo touch /etc/init.d/anonuser
sudo chmod a+x /etc/init.d/anonuser
sudo vim /etc/init.d/anonuser

iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -m owner --uid-owner anonymous -j DROP
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -d 127.0.0.1 --dport 9051 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -d 127.0.0.1 --dport 9051 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -m owner --uid-owner anonymous -j DROP
VirtualAddrNetworkIPv4 10.137.0.8/8
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
nameserver 127.0.0.1
iptables -t nat -A OUTPUT -p tcp -d 10.137.0.8/8 -j REDIRECT --to-ports 9040
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
lookup file bind
nameserver 127.0.0.1
supersede domain-name-servers 127.0.0.1;
ifconfig lo1 create up 127.0.0.2
# echo "inet 127.0.0.2" > /etc/hostname.lo1
# destinations you don't want routed through Tor
non_tor = "{ 192.168.1.0/24 192.168.0.0/24 }"

pass out quick inet proto tcp user _tor flags S/SA modulate state
pass out quick inet proto udp to port domain route-to lo1
pass out quick inet to $non_tor
pass out inet proto tcp all route-to lo1
VirtualAddrNetworkIPv4 10.137.0.8/8
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
# your internal interface
int_if = "fxp0"

10.152.152.10:9111

is this a good practice?

FWIW, just because "it works" doesn't mean that you aren't technically breaking the default sys-whonix model.

As a rule of thumb, personally stick to minimized Whonix and / or minimal KickSecure guests to host tor-aware applications. Both of these OSes are designed with native tor running and support of tor-aware applications.

On occasion, do use sys-whonix for some clearnet qubes but, they are edge cases, don't use tor-aware applications, mostly for testing and single purpose only.

Per the design you've specified:

im using a minimal custom template + appvm with sys-whonix as net

i have an app that runs with tor and it is mandatory to set the socks proxy (wont work without it, even using the tor transparent proxy provided by sys-whonix)

in whonix-workstation its as easy as use 127.0.0.1:9050, but here we have not that mirror, so...

i've tried using 10.137.0.8:9050 as proxy, and it seems to work

You'd run the avoidable risk of identity correlation from underlying applications which default to using the transparent proxy feature of sys-whonix. ⚠️This image⚠️ (as well as, the ⚠️wiki⚠️ page) should help you to better understand the concept of Stream-Isolation and how important it can be when leveling-up via the Whonix ecosystem.