Maybe this will work for you. FYI, I changed your iptables rules some and recalled the rest from memory, so it's iffy.<div>------------------------------------------------------------------------------------------------------------------------</div>
<div>#allow connections to privoxy</div><div><div>iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify -j ACCEPT</div><div>#allow connections to Tor</div><div>iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT</div>
<div>#allow any existing or related connections</div><div>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</div><div>#allow Tor to access hidden service, virtual machine</div><div>iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT</div>
<div><br></div><div>#re-route all outbound traffic from user "torify" to localhost</div><div># MAKE SURE YOUR TransPort and DNSPort MATCH WHAT TO IS USING</div><div>#Tor's TransPort, to handle all traffic transparently</div>
<div>iptables -t nat -A OUTPUT -m owner --uid-owner torify -j REDIRECT --to 9095 </div><div>#Tor's DNSPort, to handle DNS lookups</div><div>iptables -t nat -A OUTPUT -m owner --uid-owner torify --dport 53 -p udp -j REDIRECT --to 9035</div>
<div><br></div><div>#drop all traffic to localhost from localhost</div><div>iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT</div><div>#disallow all external incoming connections</div><div>iptables -A INPUT -p tcp -j DROP</div>
<div>iptables -A INPUT -p udp -j DROP</div><div>iptables -A INPUT -p icmp -j DROP</div><div><div>------------------------------------------------------------------------------------------------------------------------</div>
<div><br></div><div>Hope that helps/works.</div><div><br></div><div>- Kyle</div><div><br></div></div><br><div class="gmail_quote">On Thu, Aug 20, 2009 at 4:55 AM, Ringo <span dir="ltr"><<a href="mailto:2600denver@gmail.com">2600denver@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">I've run into a problem. My model is that a user "torify" has all<br>
traffic forwarded to localhost. From there, it should all be dropped<br>
except connections to privoxy (port 8118). It all works up until the<br>
last iptables command. I assume this is blocking all incoming traffic,<br>
including traffic I've initiated, but I could be interpreting it wrong.<br>
I can't connect to any websites, but I can send requests out. Is there<br>
anything obvious I'm missing or a something I should add?<br>
<br>
#allow connections to privoxy<br>
iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify<br>
-j ACCEPT<br>
#allow connections to Tor<br>
iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT<br>
#re-route all outbound traffic to localhost<br>
iptables -t nat -A OUTPUT -m owner --uid-owner torify -j DNAT<br>
--to-destination 127.0.0.1<br>
#drop all traffic to localhost from localhost<br>
iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT<br>
#allow Tor to access hidden service, virtual machine<br>
iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT<br>
#disallow all external incoming connections<br>
sudo iptables -A INPUT -p TCP -j DROP<br>
<br>
Thanks for any help you all can offer. I know this stuff may seem basic<br>
to a lot of people but it's complicated for me and I'm trying to help<br>
hidden service operators here who know even less than I.<br>
<font color="#888888"><br>
Ringo<br>
</font><div><div></div><div class="h5"><br>
Kyle Williams wrote:<br>
> I believe if you just remove --dport, then everything (all ports) are<br>
> assumed.<br>
><br>
> On Wed, Aug 19, 2009 at 1:01 PM, Ringo <<a href="mailto:2600denver@gmail.com">2600denver@gmail.com</a>> wrote:<br>
><br>
>> "I prevent all users other than root from connecting to the Tor Control<br>
>> port with an<br>
>>> iptables rule which looks like this:<br>
>>><br>
>>> iptables -A OUTPUT -o lo -p tcp --dport 9051 -m owner ! --uid-owner<br>
>> root -j REJECT"<br>
>><br>
>> Thanks! That should work perfectly. Is there any way to make dport a<br>
>> wildcard?<br>
>><br>
>> Ringo<br>
>><br>
><br>
</div></div></blockquote></div><br></div>