Torlock - a simple script to prevent outgoing packets from bypassing Tor.

Marcin Kowalczyk marcin at kowalczyk-online.com
Mon Mar 1 19:22:06 UTC 2010 

This may be interesting for you as well:

this is, what iptables-save produces on an Amnesia system:


# Generated by iptables-save v1.4.2 on Mon Mar  1 18:22:07 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [133:8080]
:OUTPUT ACCEPT [134:8341]
-A OUTPUT -d 192.168.0.0/16 -j RETURN 
-A OUTPUT -d 10.0.0.0/8 -j RETURN 
-A OUTPUT -d 172.16.0.0/12 -j RETURN 
-A OUTPUT -d 127.0.0.0/9 -j RETURN 
-A OUTPUT -d 127.128.0.0/10 -j RETURN 
-A OUTPUT -m owner --uid-owner debian-tor -j RETURN 
-A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 123 -j
RETURN 
-A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 123 -j
RETURN 
-A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 53 -j
RETURN 
-A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 53 -j
RETURN 
-A OUTPUT -d 127.192.0.0/10 -p tcp -m tcp -j DNAT --to-destination
127.0.0.1:9040 
-A OUTPUT -o ! lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT
--to-destination 127.0.0.1:9040 
COMMIT
# Completed on Mon Mar  1 18:22:07 2010
# Generated by iptables-save v1.4.2 on Mon Mar  1 18:22:07 2010
*filter
:INPUT ACCEPT [15615:7102432]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 192.168.0.0/16 -j ACCEPT 
-A OUTPUT -d 10.0.0.0/8 -j ACCEPT 
-A OUTPUT -d 172.16.0.0/12 -j ACCEPT 
-A OUTPUT -d 127.0.0.0/8 -j ACCEPT 
-A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT 
-A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 123 -j
ACCEPT 
-A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 123 -j
ACCEPT 
-A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 53 -j
ACCEPT 
-A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 53 -j
ACCEPT 
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Mon Mar  1 18:22:07 2010

They allow ntp connections since Tor really likes an accurate date/time.
They also do some .onion related stuff that I dont get (this might be
the 172.16.0.0/12?)

I dont know much about iptables and Linux in general, but maybe this
helps.

M.K.


Am Montag, den 01.03.2010, 15:04 +0000 schrieb Irratar:
> Hello.
> 
> I have created a simple Bash script to prevent any data from bypassing Tor
> when Tor is running. I started it to use just for myself, but now I think
> it will be better to share it with other users of Tor.
> 
> This script, named Torlock, does the following things when used to start Tor:
> - Creates a special user named torlock by default (if you run it first time
>  or have removed that user after previous Tor session).
> - Uses Iptables to block network access for everyone except for torlock.
> - Setuids to torlock and starts Tor. Tor will be started in background mode,
>  and its output redirected to a file.
> 
> When used to stop Tor, it stops Tor, unlocks network access, and (optionally)
> removes torlock user.
> 
> More information is in included text file. Even more can be obtained by reading
> the script. It is small, simple, and easy to make sure it's not
> backdoored. The script can be downloaded from Sourceforge:
> http://sourceforge.net/projects/torlock/files/
> 
> Inspite of its simplicity, Torlock saved me at least twice when I forgot to
> switch Torbutton on.
> 
> With best regards,
> Irratar.
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at torproject.org with
> unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/


***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

More information about the tor-talk mailing list