[tor-relays] iptables changes required to advertise on 80 and 443 and bind to different ports.

Tor Operator tor.ops at icloud.com
Sun Oct 13 04:42:05 UTC 2013 

I’m running a Tor exit relay on ports 9030 for advertising directory connections and 9001 for advertising incoming Tor connections. In the spirit of proxy-proofing my relay, I’d like to expose the directory and Tor connections on 80 and 443. I’ve spent hours trying to get my iptables config correct, but never successfully.

I’m running CentOS 6 with SELinux enabled. Swap and /tmp are encrypted. SSH is set to public key auth only and limited to a single user. Root login is disabled, as is X11 forwarding. No other services are active and log retainment is set to a short interval. It’s a dedicated box in data center with a 100Mbit, unmetered networking connection. The box’s sole purpose in life is to be an exit node.

My current iptables looks like this:

# Generated by iptables-save v1.4.7 on Sat Oct 12 13:52:47 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A OUTPUT -j ACCEPT 
COMMIT

I tried adding the following rules without success:

iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 80 -j REDIRECT —to-ports 10091
iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 443 -j REDIRECT —to-ports 10090

There was also a binding issue due to Tor being blocked from binding to 10091 and 10090, which I fixed with semanage port. But the logs still indicated that the ORPort and DirPort were not reachable from the outside.

I think I’m missing some other key iptable routing directives, but I can’t figure them out. I want 80 and 443 publicly exposed, but 10091 and 10090 to not be accessible from the internet.

I’ve read countless FAQs, how-tos, message board posts, Linux books, the Tor mailing lists, and the answer still eludes me. It’s maddening. If anyone can provide any assistance, I’d be greatly appreciative. 

If I’m running the directory connections on port 80, should I still setup a vhost on the relay with the exit notice or can I just point to it in the torrc file?

.cpj

More information about the tor-relays mailing list