[tor-relays] iptables changes required to advertise on 80 and 443 and bind to different ports.
Tschador
tschador at posteo.de
Sun Oct 13 07:01:44 UTC 2013
On 2013-10-13 06:42, Tor Operator wrote:
> My current iptables looks like this:
>
> # Generated by iptables-save v1.4.7 on Sat Oct 12 13:52:47 2013
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -j ACCEPT
> COMMIT
What are the real listening ports of Tor?
> I tried adding the following rules without success:
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 80 -j REDIRECT —to-ports 10091
> iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 443 -j REDIRECT —to-ports 10090
These rules look ok, but if you use ports 10090/10091 you have to enable
them too (not 9001/9030 like above):
iptables -A INPUT -p tcp -m tcp --dport 10090 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10091 -j ACCEPT
Verify that Tor ist listening on the desired port:
'netstat -plnt|grep tor'
Check your 'torrc' for the following lines:
ORPort 443
ORListenAddress 0.0.0.0:10090
DirPort 80
DirListenAddress 0.0.0.0:10091
And - like elrippo said: the iptables policy shout be 'DROP':
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Check it out: 'iptables -L -nv'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20131013/7d9d270d/attachment.sig>
More information about the tor-relays
mailing list