No, my home router is only accessible from the LAN. So, if you are sure Tor really block the local address space, then i shouldn't need to use iptables. But i want to be sure first. I couldn't find anything about this in the online manual.<br>
<br><div class="gmail_quote">On Mon, Jul 4, 2011 at 11:31 PM, Justin Aplin <span dir="ltr"><<a href="mailto:japlin@gmail.com">japlin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word"><div><div class="im"><div>On Jul 4, 2011, at 9:19 PM, Tomas Sironi wrote:</div><br><blockquote type="cite">Hi people. I'm new with Tor and i'm very interested in this project.<div>
<br></div><div>I'm now being a relay, only acting as middleman (no exits). I would like to contribute more by having some services as exit.</div>
<div>However i'm concerned about security. The machine i'm running as a relay is a pc in my home. From it, i have access to my router's web interface. The problem if i act as a exit for the port 80, would be that anyone can log into (or try to) my home router just by pointing to its ip address. Am i right?</div>
</blockquote><div><br></div></div>If the router interface is publicly accessible from the (outside) internet, then yes. If it's only available on the LAN, then no. By default tor blocks access to local address space, and I believe this is only not the case if it is set up as an exit enclave. For example, both of my routers have the following restrictions, even though I did not specify them in my torrc:</div>
<div><br></div><div><div>reject <a href="http://0.0.0.0/8:*" target="_blank">0.0.0.0/8:*</a></div><div>reject <a href="http://169.254.0.0/16:*" target="_blank">169.254.0.0/16:*</a></div><div>reject <a href="http://127.0.0.0/8:*" target="_blank">127.0.0.0/8:*</a></div>
<div>reject <a href="http://192.168.0.0/16:*" target="_blank">192.168.0.0/16:*</a></div><div>reject <a href="http://10.0.0.0/8:*" target="_blank">10.0.0.0/8:*</a></div><div>reject <a href="http://172.16.0.0/12:*" target="_blank">172.16.0.0/12:*</a></div>
<div>reject 97.102.75.60:*</div><div class="im"><div><br></div><blockquote type="cite">
<div>I've thought about using iptables to block outgoing connection from the relay to my router using</div><div><br></div><div><font face="'courier new', monospace">iptables -A OUTPUT -d 192.168.15.1 -j DROP</font></div>
<div><font face="'courier new', monospace"><br></font></div><div><font face="arial, helvetica, sans-serif">Not sure that's the correct line to do that. It blocks ping requests but i still can access the web interface of my router from that pc. Can anyone help me here? </font></div>
</blockquote><div><br></div></div>I believe what you want is the following:</div><div><br></div><div># /sbin/iptables -A OUTPUT -p tcp -d 192.168.15.1 --dport 80 -j DROP<br># /sbin/service iptables save<br><br></div><div>
Thanks for running an exit!</div><div><br></div><font color="#888888"><div>~Justin Aplin</div><div><br></div></font></div><br>_______________________________________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><span style="background-color:rgb(255, 255, 255)"><font color="#CCCCCC"><span style="font-family:georgia, serif;font-size:large">Tomas Sironi</span></font></span></blockquote>
<br>