[tor-relays] hardening a tor relay
Contra Band
contra0band at yahoo.com
Thu May 22 00:23:45 UTC 2014
Hi all,
I'm impressed by Tor and its contribution to freedom of speech and started to run some tor relays. The first one is https://atlas.torproject.org/#details/DBE3CE33BA8BF1CB98091EE2A72690DF8218C2C3
and I have applied tight iptables to that as below.
Can somebody advise what should be add/remove to make it more efficient to tor network?
=========iptables-rules.sh==========
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#ipv4 udp drop all
iptables -A INPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP
#ipv6 udp drop all
ip6tables -A INPUT -p udp -j DROP
ip6tables -A OUTPUT -p udp -j DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow incoming SSH
iptables -A INPUT -p tcp --dport xxx -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport xxx -m state --state ESTABLISHED -j ACCEPT
# Allow incoming 443
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing 443
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming 9050
iptables -A INPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing 9050
iptables -A OUTPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming 9051
iptables -A INPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing 9051
iptables -A OUTPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming 9001
iptables -A INPUT -p tcp --dport 9001 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9001 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing 9001
iptables -A OUTPUT -p tcp --dport 9001 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 9001 -m state --state ESTABLISHED -j ACCEPT
Thanks
Simon
More information about the tor-relays
mailing list