More flexible IP-tables and TOR ?

heidenheim at attac.de heidenheim at attac.de
Wed Aug 25 05:46:03 UTC 2010


It is certainly cool to ONLY allow Tor to the internet, but in my
opinion in real world, there are some connections/circumstances where
you want don't want to have Tor in the middle: Mail, Webaccounts,
data-intensive downloads/upgrades. 
I think, that's where p.e. Torbutton comes in ... and the trouble
starts. 

Being certainly *NOT* a firewall-expert, I'm using "Firestarter" to
handle my IPtables-Configuration. 

I configured the TransparentProxy via the Firestarter user-pre-file from
this source: https://techstdout.boum.org/TorDns/#index1h2:

------------------------------
TOR_DNS=enabled
TOR_USER='debian-tor'
TOR_UID="`getent passwd $TOR_USER | awk -F: '{print $3}'`"

if [ "$TOR_DNS" = enabled -a -n "$TOR_UID" ]; then
        # Let the Tor-generated packets go
        $IPT -t nat -A OUTPUT -o $IF -m owner --uid-owner $TOR_UID -j RETURN
        # Let the packets to non-routables (i.e. local) networks go
        while read block garbage
        do
                $IPT -t nat -A OUTPUT -o $IF -d $block -j RETURN
        done < /etc/firestarter/non-routables
        # Redirect to the local (torified) nameserver any DNS connection left
        $IPT -t nat -A OUTPUT -o $IF -p tcp --dport 53 -j REDIRECT --to-ports 53
        $IPT -t nat -A OUTPUT -o $IF -p udp --dport 53 -j REDIRECT --to-ports 53
else
        echo Warning: DNS forwarding through Tor is disabled.
fi
------------------------------
I don't know why, but I assume with this option, Tor drops the connection after some time. So I set torrc: KeepalivePeriod 20
and now it works for me.

Firestarter outgoing rules (whitelist) : Allow port 80 and , 143, 443 from firewall.

I don't know if that configuration makes any sense, but it seems more flexible for me.

Improvements very welcome,

Niklas



Am Dienstag, den 24.08.2010, 14:33 -0400 schrieb Andrew Lewman:
> On Tue, 24 Aug 2010 13:54:14 -0400
> Michael Gomboc <michael.gomboc at gmail.com> wrote:
> 
> > Could some net filter expert give me some advise how to use iptables
> > with TOR?
> 
> For your specific question,
> https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/BlockNonTorTrafficDebian
> 
> For the larger question of pushing traffic through tor:
> https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy
> 


***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list