Iptables configuration for a transparent proxy for a single user
leandro noferini
lnoferin at cybervalley.org
Thu May 14 21:16:47 UTC 2009
leandro noferini ha scritto:
[...]
> Ok, now ipfilter does not complain but I cannot connect anymore.
>
> :-(
>
> I will investigate more.
I applied these rules for iptables (in this order):
iptables -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -A OUTPUT -m owner --uid-owner anonymous -j DROP
that gave this firewall.rules (saved with iptables-save)
# Generated by iptables-save v1.4.3.2 on Thu May 14 22:38:12 2009
*filter
:INPUT ACCEPT [16071:6425763]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15031:2354190]
-A OUTPUT -m owner --uid-owner anonymous -j DROP
COMMIT
# Completed on Thu May 14 22:38:12 2009
# Generated by iptables-save v1.4.3.2 on Thu May 14 22:38:12 2009
*nat
:PREROUTING ACCEPT [350:71565]
:POSTROUTING ACCEPT [264:19517]
:OUTPUT ACCEPT [264:19517]
-A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Thu May 14 22:38:12 2009
But now the user cannot connect anywhere and if I try to see what the
configuration for iptables is I get this
minchioncino:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere owner UID match anonymous
I think this is not correct because all traffic coming from the user is
dropped, right?
--
Ciao
leandro
Io non voglio sapere tutto, io voglio capire tutto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090514/49c840be/attachment.pgp>
More information about the tor-talk
mailing list