[tor-relays] Relay Seccurity

Justin Aplin japlin at gmail.com
Tue Jul 5 02:31:05 UTC 2011


On Jul 4, 2011, at 9:19 PM, Tomas Sironi wrote:

> Hi people. I'm new with Tor and i'm very interested in this project.
> 
> I'm now being a relay, only acting as middleman (no exits). I would like to contribute more by having some services as exit.
> However i'm concerned about security. The machine i'm running as a relay is a pc in my home. From it, i have access to my router's web interface. The problem if i act as a exit for the port 80, would be that anyone can log into (or try to) my home router just by pointing to its ip address. Am i right?

If the router interface is publicly accessible from the (outside) internet, then yes. If it's only available on the LAN, then no. By default tor blocks access to local address space, and I believe this is only not the case if it is set up as an exit enclave. For example, both of my routers have the following restrictions, even though I did not specify them in my torrc:

reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject 97.102.75.60:*

> I've thought about using iptables to block outgoing connection from the relay to my router using
> 
> iptables -A OUTPUT -d 192.168.15.1 -j DROP
> 
> Not sure that's the correct line to do that. It blocks ping requests but i still can access the web interface of my router from that pc. Can anyone help me here? 

I believe what you want is the following:

# /sbin/iptables -A OUTPUT -p tcp -d 192.168.15.1 --dport 80 -j DROP
# /sbin/service iptables save

Thanks for running an exit!

~Justin Aplin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110704/7fe4887a/attachment.htm>


More information about the tor-relays mailing list