iptables and tor
Csaba Kiraly
kiraly at dit.unitn.it
Sun Feb 10 18:49:26 UTC 2008
M wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
>
>
>>> On Sat, Feb 09, 2008 at 07:07:26PM -0500, dante at virtualblueness.net wrote 0.8K bytes in 21 lines about:
>>> : Has anyone given any thought as to what firewall rules to use on a linux
>>> : system running a tor server? Besides the usual attacks against the
>>>
>> In general, how would you protect a server with a public IP without tor?
>>
>>
>
> Common "default deny and allow only specified" rules which is used by
> any admin who has common sense? Can't think of anything else.
>
> Only allow incoming tcp traffic to Tor's dir- and listeningport and deny
> everything else?
>
> M
>
The packets coming in on Tor TLS tunnels are destined for your node.
They go up the stack through TCP and TLS to the Tor application itself.
Tor does its AES CTR encryption on the cells coming out of these
streams, and puts them in other streams based on the circuit labels.
Here they get TLS'd, packed into TCP segments and go out.
This means that packets going out after relaying have nothing to do with
packets coming in, so I don't think marking makes any difference. This
is clearly a positive point of Tor.
What you could do is to allow Tor's ports (defaults or the ones defined
in your torrc) to pass through your firewall, and deny/shadow others.
You can also do some TCP stuff on these ports, trying to add some DoS
resistance, change priority (see the post
http://archives.seul.org/or/talk/Feb-2008/msg00047.html ), correct some
TCP misbehavior ,etc.
Otherwise, configure your exit policy well in the torrc, and hope that
Tor respects it ;-) ... OK, it is open source, so you can even be sure
about it :-)
Csaba
More information about the tor-talk
mailing list