Iptables configuration for a transparent proxy for a single user

leandro noferini lnoferin at cybervalley.org
Thu May 14 21:16:47 UTC 2009


leandro noferini ha scritto:


[...]

> Ok, now ipfilter does not complain but I cannot connect anymore.
> 
> :-(
> 
> I will investigate more.

I applied these rules for iptables (in this order):

iptables -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -j REDIRECT --to-ports 9040
iptables -t nat  -A OUTPUT -p udp -m owner  --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -A OUTPUT -m owner --uid-owner anonymous -j DROP

that gave this firewall.rules (saved with iptables-save)

# Generated by iptables-save v1.4.3.2 on Thu May 14 22:38:12 2009
*filter
:INPUT ACCEPT [16071:6425763]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15031:2354190]
-A OUTPUT -m owner --uid-owner anonymous -j DROP 
COMMIT
# Completed on Thu May 14 22:38:12 2009
# Generated by iptables-save v1.4.3.2 on Thu May 14 22:38:12 2009
*nat
:PREROUTING ACCEPT [350:71565]
:POSTROUTING ACCEPT [264:19517]
:OUTPUT ACCEPT [264:19517]
-A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 
-A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53 
COMMIT
# Completed on Thu May 14 22:38:12 2009

But now the user cannot connect anywhere and if I try to see what the
configuration for iptables is I get this

minchioncino:~# iptables -L
Chain INPUT (policy ACCEPT)
target      prot opt source     destination

Chain FORWARD (policy ACCEPT)
target        prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target       prot opt source    destination
DROP         all  --  anywhere  anywhere            owner UID match anonymous

I think this is not correct  because all traffic coming from the user is
dropped, right?


-- 
Ciao
leandro
Io non voglio sapere tutto, io voglio capire tutto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090514/49c840be/attachment.pgp>


More information about the tor-talk mailing list