More flexible IP-tables and TOR ?

heidenheim at heidenheim at
Wed Aug 25 05:46:03 UTC 2010

It is certainly cool to ONLY allow Tor to the internet, but in my
opinion in real world, there are some connections/circumstances where
you want don't want to have Tor in the middle: Mail, Webaccounts,
data-intensive downloads/upgrades. 
I think, that's where p.e. Torbutton comes in ... and the trouble

Being certainly *NOT* a firewall-expert, I'm using "Firestarter" to
handle my IPtables-Configuration. 

I configured the TransparentProxy via the Firestarter user-pre-file from
this source:

TOR_UID="`getent passwd $TOR_USER | awk -F: '{print $3}'`"

if [ "$TOR_DNS" = enabled -a -n "$TOR_UID" ]; then
        # Let the Tor-generated packets go
        $IPT -t nat -A OUTPUT -o $IF -m owner --uid-owner $TOR_UID -j RETURN
        # Let the packets to non-routables (i.e. local) networks go
        while read block garbage
                $IPT -t nat -A OUTPUT -o $IF -d $block -j RETURN
        done < /etc/firestarter/non-routables
        # Redirect to the local (torified) nameserver any DNS connection left
        $IPT -t nat -A OUTPUT -o $IF -p tcp --dport 53 -j REDIRECT --to-ports 53
        $IPT -t nat -A OUTPUT -o $IF -p udp --dport 53 -j REDIRECT --to-ports 53
        echo Warning: DNS forwarding through Tor is disabled.
I don't know why, but I assume with this option, Tor drops the connection after some time. So I set torrc: KeepalivePeriod 20
and now it works for me.

Firestarter outgoing rules (whitelist) : Allow port 80 and , 143, 443 from firewall.

I don't know if that configuration makes any sense, but it seems more flexible for me.

Improvements very welcome,


Am Dienstag, den 24.08.2010, 14:33 -0400 schrieb Andrew Lewman:
> On Tue, 24 Aug 2010 13:54:14 -0400
> Michael Gomboc <michael.gomboc at> wrote:
> > Could some net filter expert give me some advise how to use iptables
> > with TOR?
> For your specific question,
> For the larger question of pushing traffic through tor:

To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list