IPTables transparent configuration

Curt Shaffer cshaffer at gmail.com
Wed Nov 17 18:34:42 UTC 2010 

I was looking to send all traffic through Tor. The UDP rule was taken off of the Tor Transparent Configuration documentation. I have Tor DNSPorts and DNSListenAddress set. I realize this was for DNS requests, but I was kinda hoping to pipe everything through. I will look at just dropping all other traffic. 

Thanks for sharing your link to your example config as well!

Curt
On Nov 17, 2010, at 12:37 PM, intrigeri wrote:

> Hi,
> 
> Curt Shaffer wrote (17 Nov 2010 12:53:27 GMT) :
>> sudo iptables -t nat -A PREROUTING -p tcp -s 172.16.10.0/24 -j DNAT --to-destination
>> 10.0.0.23:9040
>> sudo iptables -t nat -A PREROUTING -p icmp -s 172.16.10.0/24 -j DNAT --to-destination
>> 10.0.0.23:9040
>> sudo iptables -t nat -A PREROUTING -p udp -s 172.16.10.0/24 -j DNAT --to-destination
>> 10.0.0.23:53
> 
> Tor is able to transport TCP only.
> If you really want these LAN boxes to *only* access the Internet over
> Tor, you have to forbid them anything other than TCP.
> 
> If I am not mistaken, the rules you are showing us allow any UDP
> traffic to go out (without Tor) unless its destination port is !=53.
> I'm not sure this is really what you want to achieve.
> 
> Feel free to have a look to the firewall we use in T(A)ILS as a source
> of inspiration:
> 
>    http://git.immerda.ch/?p=amnesia.git;a=blob;f=config/chroot_local-includes/etc/firewall.conf
>    http://git.immerda.ch/?p=amnesia.git;a=blob;f=config/chroot_local-includes/etc/firewall6.conf
> 
> Bye,
> --
>  intrigeri <intrigeri at boum.org>
>  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
>  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
>  | Every now and then I get a little bit restless
>  | and I dream of something wild.
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at torproject.org with
> unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3834 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101117/6d22d14c/attachment.bin>

More information about the tor-talk mailing list