[tor-talk] Tor TransparentProxy with iptables breaks connections ?
ml at ruggedinbox.com
ml at ruggedinbox.com
Sat Aug 23 18:36:35 UTC 2014
Hello again :)
At https://ruggedinbox.com we are running a 'standard' email server,
using postfix, dovecot, and so on ..
The server is also able to receive and send emails to the onionland,
thanks to Tor providing DNS resolution for onion addresses and 'unbound'
for the clearnet.
As you may know, the full setup needs some iptables magic, as documented
in:
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
so we run the following rules:
1. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT
--to-ports 9040
2. iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
3. iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m
tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
4. iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m
tcp --tcp-flags ACK,RST ACK,RST -j DROP
but it looks like the third rule breaks connections: the mail client
timeouts while checking POP mailboxes, randomly but very often.
Do you think that is safe to discard the third and forth rules ?
And if not, do you have other suggestions to be safe and prevent leaks ?
Thank you very much for supporting,
we look forward to publish all ruggedinbox's configuration as soon as
everything works ok
(and perhaps a 'ruggedinbox distro')
in order to have a starting base on which discuss and request for
comments,
which will help people to build their private email server, secure,
spam-resistant and Tor-aware :)
More information about the tor-talk
mailing list