[tor-talk] Isolating Proxy and iptables.

Clare ♬ clares_pad at live.co.uk
Sat May 17 18:05:38 UTC 2014


Thanks! It's incredibly helpful to see how more experienced users have Tor set up. Sorry again for the poor formatting in my post, no idea what's up with that. 

From: r.a at posteo.net
To: tor-talk at lists.torproject.org
Date: Sat, 17 May 2014 17:55:36 +0200
Subject: Re: [tor-talk] Isolating Proxy and iptables.

On Saturday 17 May 2014 16:59:23 Clare ♬ wrote:
> I'm setting up a Tor-based isolating proxy using the 'Anonymizing
> Middlebox' iptables rules specified here:
> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy i.e.
> iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT
> --to-ports 53iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j
> REDIRECT --to-ports 9040 ...and the INPUT, OUTPUT and FORWARD chains are
> left at the default. Would there be any merit to also including the
> following rules? iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P
> OUTPUT DROP iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state
> --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j
> ACCEPTiptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Or
> are they rendered unnecessary by my current setup?
> Are there any other firewall rules that I should consider in order to
> improve security and ensure that all traffic is torified? Many thanks.
 
 
https://bitbucket.org/ra_/tor-
gateway/src/367fedb41377570b6b414940a8788bd692931cd4/overlay/etc/iptables.conf?at=master
 
might help you.
 
It has been suggest recently, to additionally block rules:
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
 
HTH,
Robert

-- 
tor-talk mailing list - tor-talk at lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk 		 	   		  


More information about the tor-talk mailing list