[tor-relays] Relay Seccurity

Tomas Sironi sironitomas at gmail.com
Tue Jul 5 03:57:55 UTC 2011


No, my home router is only accessible from the LAN. So, if you are sure Tor
really block the local address space, then i shouldn't need to use iptables.
But i want to be sure first. I couldn't find anything about this in the
online manual.

On Mon, Jul 4, 2011 at 11:31 PM, Justin Aplin <japlin at gmail.com> wrote:

> On Jul 4, 2011, at 9:19 PM, Tomas Sironi wrote:
>
> Hi people. I'm new with Tor and i'm very interested in this project.
>
> I'm now being a relay, only acting as middleman (no exits). I would like to
> contribute more by having some services as exit.
> However i'm concerned about security. The machine i'm running as a relay is
> a pc in my home. From it, i have access to my router's web interface. The
> problem if i act as a exit for the port 80, would be that anyone can log
> into (or try to) my home router just by pointing to its ip address. Am i
> right?
>
>
> If the router interface is publicly accessible from the (outside) internet,
> then yes. If it's only available on the LAN, then no. By default tor blocks
> access to local address space, and I believe this is only not the case if it
> is set up as an exit enclave. For example, both of my routers have the
> following restrictions, even though I did not specify them in my torrc:
>
> reject 0.0.0.0/8:*
> reject 169.254.0.0/16:*
> reject 127.0.0.0/8:*
> reject 192.168.0.0/16:*
> reject 10.0.0.0/8:*
> reject 172.16.0.0/12:*
> reject 97.102.75.60:*
>
> I've thought about using iptables to block outgoing connection from the
> relay to my router using
>
> iptables -A OUTPUT -d 192.168.15.1 -j DROP
>
> Not sure that's the correct line to do that. It blocks ping requests but i
> still can access the web interface of my router from that pc. Can anyone
> help me here?
>
>
> I believe what you want is the following:
>
> # /sbin/iptables -A OUTPUT -p tcp -d 192.168.15.1 --dport 80 -j DROP
> # /sbin/service iptables save
>
> Thanks for running an exit!
>
> ~Justin Aplin
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>


-- 

Tomas  Sironi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110705/a6fa7b92/attachment.htm>


More information about the tor-relays mailing list