[tor-talk] DNS query enforcement not working

Raviji raviji157 at gmail.com
Wed Sep 26 09:53:23 UTC 2012


Hello list,

I like to use tor Dnsport (port 53) .
I have configure iptables to do the same as below

iptables -F
iptables -X
iptables -Z
iptables -t nat -Z 2>/dev/null
iptables -t mangle -Z
iptables -t nat -F
iptables -t mangle -F

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Established incoming connections are accepted.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Traffic on the loopback interface is accepted.
    iptables -A INPUT -i lo -j ACCEPT

   # Established outgoing connections are accepted.
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Internal network connections are accepted.
    iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT

    # Local network connections should be passed but DNS shall be
    # rejected.
    iptables -N lan
    iptables -A lan -p TCP --dport domain -j REJECT
    iptables -A lan -p UDP --dport domain -j REJECT
    iptables -A lan -j ACCEPT

   # Sort out traffic to local network
    # Note that we exclude the VirtualAddrNetwork used for .onion:s here.
    iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
    iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
    iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan

iptables -t nat -A OUTPUT -p udp --dport 53 -m state --state NEW -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT



    # Everything else is dropped.
	iptables -t filter -A OUTPUT ! -o lan -j DROP
	

    # log incomming connection attempts
    iptables -A INPUT -p tcp -m tcp -m state --state NEW -j LOG --log-prefix "input(tcp) " -m limit --limit 1/minute 
    iptables -A INPUT ! -p tcp -j LOG --log-prefix "input(all) " -m limit --limit 1/minute

`````````````````````````````````````````````````````````````

And when try to ping gmail.com   it reports  

ping: sendmsg: Operation not permitted

Where is the bug in configuration ?

Thanks


More information about the tor-talk mailing list