Tor/Iptables Question

Ringo 2600denver at gmail.com
Sat Aug 22 02:29:37 UTC 2009


"This rule will go right at the top of the iptables rules (-I = Insert),
and it ACCEPTS every packet that enter through your "lo" (loopback)
network interface, which is used for internal communications."

Unfortunately, this is a little too permissive. Quite a few programs
listen on lo, including CUPS which could give an attacker with access to
lo quite a bit of sensitive information. We only want the user "torify"
to be able to access 8118 and 9050. If the other users can access other
ports, this is fine but the first priority if to block the torify user
from accessing anything aside from Tor.

Ringo



Renato Callado Borges wrote:
> On Fri, Aug 21, 2009 at 08:07:30PM -0400, Ringo wrote:
>> "You're dropping all incoming TCP traffic! This must be switched.
>> And you should use conntrack (it replaces state)."
>>
>> Good point! I gave the following config a test. Here's what --list-rules
>> gave me.
>>
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -p tcp -j DROP
>> -A INPUT -p udp -j DROP
>> -A INPUT -p icmp -j DROP
>> -A OUTPUT -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner torify
>> -j ACCEPT
>> -A OUTPUT -o lo -p tcp -m tcp --dport 9050 -j ACCEPT
>> -A OUTPUT -o lo -p tcp -m tcp --dport 8118 -j ACCEPT
>> -A OUTPUT -o lo -p tcp -m tcp --dport 8888 -j ACCEPT
>> -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
>> --reject-with icmp-port-unreachable
>>
>> The main user "user" can browse the internet just fine (yay!) and
>> "torify" can't connect to anything (yay!), even privoxy on localhost
>> (sad). Unfortunately, no user on the computer can reach privoxy. I
>> confirmed it was up and running, and that tor was. A wget using it as a
>> proxy just says "connecting" and never gets past that. I also tried
>> restarting privoxy/tor just to be sure they weren't flaking and that
>> didn't seem to be it.
>>
>> Any ideas?
> 
> I know this thread has being going on for some time, but I haven't read it before, too busy. If I'm repeating something already said, or ignoring some constraint not present in this latest message, I apologise.
> 
> AFAIK, you need to be able to create connections from your machine to itself. You can check this need by running "netstat -tc" on a working torrified browsing session. You should see some "localhost" to "localhost" connections.
> 
> Proto Recv-Q Send-Q Local Address           Foreign Address         State      
> tcp        0      0 localhost:33435         localhost:8118          ESTABLISHED
> 
> These connections, to my knowledge, are done via the loopback interface. So you need this rule:
> 
> /sbin/iptables -I INPUT 1 -i lo -j ACCEPT
> 
> This rule will go right at the top of the iptables rules (-I = Insert), and it ACCEPTS every packet that enter through your "lo" (loopback) network interface, which is used for internal communications.
> 
> Hope it helps.
> []s
> 
>> Ringo
>>
>> Simon Ruderich wrote:
>>> On Thu, Aug 20, 2009 at 09:34:23AM -0400, Ringo wrote:
>>>> Ok so I added this one (which seemed like the only one that would open
>>>> things up) and still no luck:
>>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>>
>>>> Here's a export of my current rules:
>>>>
>>>> # Generated by iptables-save v1.4.1.1 on Thu Aug 20 09:28:22 2009
>>>> *filter
>>>> :INPUT ACCEPT [9850:7346270]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [10373:5920044]
>>>> -A INPUT -p tcp -j DROP
>>>> -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
>>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> You're dropping all incoming TCP traffic! This must be switched.
>>> And you should use conntrack (it replaces state).
>>>
>>>     -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>>     -A INPUT -j DROP
>>>
>>> But I'm not sure if this is necessary at all. You could accept
>>> all incoming traffic.
>>>
>>>> -A OUTPUT -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner torify -j ACCEPT
>>>> -A OUTPUT -o lo -p tcp -m tcp --dport 9050 -j ACCEPT
>>>> -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT --reject-with icmp-port-unreachable
>>>> -A OUTPUT -o lo -p tcp -m tcp --dport 8888 -j ACCEPT
>>>> COMMIT
>>>>
>>>> [snip]
>>> I haven't tested it so I'm not sure it will work.
>>>
>>> Hope this helps,
>>> Simon
> 



More information about the tor-talk mailing list