Yet another UDP / DNS quiestion...
tagnaq
tagnaq at gmail.com
Sun Feb 13 17:30:13 UTC 2011
On 02/13/2011 05:21 PM, Tomasz Moskal wrote:
> OK, so to wrap it all up last (hopefully!) couple of questions...
>
> iptables script/rules set:
>
> #!/bin/sh
>
> # the UID Tor runs as
> TOR_UID="109"
>
> iptables -F
> iptables -t nat -F
>
> # Redirects DNS traffic to the local port 53
> iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
>
> # Allow a program running with the $TOR_UID to send UDP traffic
> iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT
Why did you add -p udp here? Tor uses TCP.
> # Block/reject all outgoing UDP traffic
> iptables -A OUTPUT -j REJECT
This rule does not block UDP only, it rejects all traffic including UDP
(if a packets makes its way to the last line).
If this is your full iptables setup it doesn't make much sense to me.
You might have misunderstood my earlier reply.
But lets go one step back:
I'm wondering why one would want to setup DNSPort configuration without
TransPort.
I see two obvious use cases but neither matches yours:
scenario 1)
firefox+polipo+torbutton enabled
in such a setup there is no need for DNSPort + iptables if you are only
worried about firefox traffic
scenario 2)
you want to route all TCP traffic through Tor:
setup includes TransPort + DNSPort Setup (to prevent DNS leaking) +
iptables rules + Torbutton (transparent torification setting)
Could you describe your use case + thread model?
> On my machine Tor seems to have different UID after each restart (at
> least this is what "ps -A | grep -w tor" tells me). How I can force it
> to use always the same UID? According to this thread
> <http://ubuntuforums.org/showthread.php?t=800066a> I can't change it
> when Tor is already running so my guess is I should force it to use
> chosen UID before it will even start.
I wonder why your uid should be different everytime you reboot, but you
can also use the name of the user instead of the numerical value.
> I couldn't find (man iptables) nothing about "-m owner" - should I
> replace owner with my login or it is to match Tor through --uid-owner
> $TOR_UID?
The word 'owner' after "-m" is _not_ a variable that needs to be
replaced. It is the match extension module name.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list