Tor/Iptables Question
Kyle Williams
kyle.kwilliams at gmail.com
Thu Aug 20 13:11:25 UTC 2009
Maybe this will work for you. FYI, I changed your iptables rules some and
recalled the rest from memory, so it's iffy.
------------------------------------------------------------------------------------------------------------------------
#allow connections to privoxy
iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify -j
ACCEPT
#allow connections to Tor
iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT
#allow any existing or related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow Tor to access hidden service, virtual machine
iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT
#re-route all outbound traffic from user "torify" to localhost
# MAKE SURE YOUR TransPort and DNSPort MATCH WHAT TO IS USING
#Tor's TransPort, to handle all traffic transparently
iptables -t nat -A OUTPUT -m owner --uid-owner torify -j REDIRECT --to 9095
#Tor's DNSPort, to handle DNS lookups
iptables -t nat -A OUTPUT -m owner --uid-owner torify --dport 53 -p udp -j
REDIRECT --to 9035
#drop all traffic to localhost from localhost
iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
#disallow all external incoming connections
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -p icmp -j DROP
------------------------------------------------------------------------------------------------------------------------
Hope that helps/works.
- Kyle
On Thu, Aug 20, 2009 at 4:55 AM, Ringo <2600denver at gmail.com> wrote:
> I've run into a problem. My model is that a user "torify" has all
> traffic forwarded to localhost. From there, it should all be dropped
> except connections to privoxy (port 8118). It all works up until the
> last iptables command. I assume this is blocking all incoming traffic,
> including traffic I've initiated, but I could be interpreting it wrong.
> I can't connect to any websites, but I can send requests out. Is there
> anything obvious I'm missing or a something I should add?
>
> #allow connections to privoxy
> iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify
> -j ACCEPT
> #allow connections to Tor
> iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT
> #re-route all outbound traffic to localhost
> iptables -t nat -A OUTPUT -m owner --uid-owner torify -j DNAT
> --to-destination 127.0.0.1
> #drop all traffic to localhost from localhost
> iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
> #allow Tor to access hidden service, virtual machine
> iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT
> #disallow all external incoming connections
> sudo iptables -A INPUT -p TCP -j DROP
>
> Thanks for any help you all can offer. I know this stuff may seem basic
> to a lot of people but it's complicated for me and I'm trying to help
> hidden service operators here who know even less than I.
>
> Ringo
>
> Kyle Williams wrote:
> > I believe if you just remove --dport, then everything (all ports) are
> > assumed.
> >
> > On Wed, Aug 19, 2009 at 1:01 PM, Ringo <2600denver at gmail.com> wrote:
> >
> >> "I prevent all users other than root from connecting to the Tor Control
> >> port with an
> >>> iptables rule which looks like this:
> >>>
> >>> iptables -A OUTPUT -o lo -p tcp --dport 9051 -m owner ! --uid-owner
> >> root -j REJECT"
> >>
> >> Thanks! That should work perfectly. Is there any way to make dport a
> >> wildcard?
> >>
> >> Ringo
> >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090820/6a12ac00/attachment.htm>
More information about the tor-talk
mailing list