On 5/21/2014 7:38 PM, Moritz Bartl wrote:
The problem with selective filters for outgoing traffic is that Tor needs to be able to connect to all other Tor relays, some of which use non-standard ports.
One could add a rule to the OUTPUT chain that allows all traffic from the tor user (or uid). This allows one to maintain non-tor related outbound rules without interfering with tor itself. On a hypothetical system where the uid under which tor runs is 501 an iptables rule like this should work:
iptables -I OUTPUT -p tcp -m owner --uid-owner 501 -j ACCEPT
One resource for ideas on how to harden a system is the NSA. I for one have referenced these two docs on more than one occasion (clearnet links) and they can be adopted conceptually into many other distros:
http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf