IPTables transparent configuration
intrigeri
intrigeri at boum.org
Wed Nov 17 17:37:35 UTC 2010
Hi,
Curt Shaffer wrote (17 Nov 2010 12:53:27 GMT) :
> sudo iptables -t nat -A PREROUTING -p tcp -s 172.16.10.0/24 -j DNAT --to-destination
> 10.0.0.23:9040
> sudo iptables -t nat -A PREROUTING -p icmp -s 172.16.10.0/24 -j DNAT --to-destination
> 10.0.0.23:9040
> sudo iptables -t nat -A PREROUTING -p udp -s 172.16.10.0/24 -j DNAT --to-destination
> 10.0.0.23:53
Tor is able to transport TCP only.
If you really want these LAN boxes to *only* access the Internet over
Tor, you have to forbid them anything other than TCP.
If I am not mistaken, the rules you are showing us allow any UDP
traffic to go out (without Tor) unless its destination port is !=53.
I'm not sure this is really what you want to achieve.
Feel free to have a look to the firewall we use in T(A)ILS as a source
of inspiration:
http://git.immerda.ch/?p=amnesia.git;a=blob;f=config/chroot_local-includes/etc/firewall.conf
http://git.immerda.ch/?p=amnesia.git;a=blob;f=config/chroot_local-includes/etc/firewall6.conf
Bye,
--
intrigeri <intrigeri at boum.org>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| Every now and then I get a little bit restless
| and I dream of something wild.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list