[tor-talk] Isolating Proxy and iptables.
ra
r.a at posteo.net
Sat May 17 15:55:36 UTC 2014
On Saturday 17 May 2014 16:59:23 Clare ♬ wrote:
> I'm setting up a Tor-based isolating proxy using the 'Anonymizing
> Middlebox' iptables rules specified here:
> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy i.e.
> iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT
> --to-ports 53iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j
> REDIRECT --to-ports 9040 ...and the INPUT, OUTPUT and FORWARD chains are
> left at the default. Would there be any merit to also including the
> following rules? iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P
> OUTPUT DROP iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state
> --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j
> ACCEPTiptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Or
> are they rendered unnecessary by my current setup?
> Are there any other firewall rules that I should consider in order to
> improve security and ensure that all traffic is torified? Many thanks.
https://bitbucket.org/ra_/tor-
gateway/src/367fedb41377570b6b414940a8788bd692931cd4/overlay/etc/iptables.conf?at=master
might help you.
It has been suggest recently, to additionally block rules:
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
HTH,
Robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140517/4b7ed3b1/attachment.sig>
More information about the tor-talk
mailing list