Tor/Iptables Question
Ringo
2600denver at gmail.com
Thu Aug 20 13:34:23 UTC 2009
Ok so I added this one (which seemed like the only one that would open
things up) and still no luck:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Here's a export of my current rules:
# Generated by iptables-save v1.4.1.1 on Thu Aug 20 09:28:22 2009
*filter
:INPUT ACCEPT [9850:7346270]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10373:5920044]
-A INPUT -p tcp -j DROP
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner torify
-j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 9050 -j ACCEPT
-A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
--reject-with icmp-port-unreachable
-A OUTPUT -o lo -p tcp -m tcp --dport 8888 -j ACCEPT
COMMIT
# Completed on Thu Aug 20 09:28:22 2009
# Generated by iptables-save v1.4.1.1 on Thu Aug 20 09:28:22 2009
*nat
:PREROUTING ACCEPT [15:3124]
:POSTROUTING ACCEPT [451:36176]
:OUTPUT ACCEPT [428:34740]
-A OUTPUT -m owner --uid-owner torify -j DNAT --to-destination 127.0.0.1
-A OUTPUT -m owner --uid-owner torify -j DNAT --to-destination 127.0.0.1
-A OUTPUT -m owner --uid-owner torify -j DNAT --to-destination 127.0.0.1
-A OUTPUT -m owner --uid-owner torify -j DNAT --to-destination 127.0.0.1
COMMIT
# Completed on Thu Aug 20 09:28:22 2009
Kyle Williams wrote:
> Maybe this will work for you. FYI, I changed your iptables rules some and
> recalled the rest from memory, so it's iffy.
> ------------------------------------------------------------------------------------------------------------------------
> #allow connections to privoxy
> iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify -j
> ACCEPT
> #allow connections to Tor
> iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT
> #allow any existing or related connections
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> #allow Tor to access hidden service, virtual machine
> iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT
>
> #re-route all outbound traffic from user "torify" to localhost
> # MAKE SURE YOUR TransPort and DNSPort MATCH WHAT TO IS USING
> #Tor's TransPort, to handle all traffic transparently
> iptables -t nat -A OUTPUT -m owner --uid-owner torify -j REDIRECT --to 9095
> #Tor's DNSPort, to handle DNS lookups
> iptables -t nat -A OUTPUT -m owner --uid-owner torify --dport 53 -p udp -j
> REDIRECT --to 9035
>
> #drop all traffic to localhost from localhost
> iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
> #disallow all external incoming connections
> iptables -A INPUT -p tcp -j DROP
> iptables -A INPUT -p udp -j DROP
> iptables -A INPUT -p icmp -j DROP
> ------------------------------------------------------------------------------------------------------------------------
>
> Hope that helps/works.
>
> - Kyle
>
>
> On Thu, Aug 20, 2009 at 4:55 AM, Ringo <2600denver at gmail.com> wrote:
>
>> I've run into a problem. My model is that a user "torify" has all
>> traffic forwarded to localhost. From there, it should all be dropped
>> except connections to privoxy (port 8118). It all works up until the
>> last iptables command. I assume this is blocking all incoming traffic,
>> including traffic I've initiated, but I could be interpreting it wrong.
>> I can't connect to any websites, but I can send requests out. Is there
>> anything obvious I'm missing or a something I should add?
>>
>> #allow connections to privoxy
>> iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify
>> -j ACCEPT
>> #allow connections to Tor
>> iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT
>> #re-route all outbound traffic to localhost
>> iptables -t nat -A OUTPUT -m owner --uid-owner torify -j DNAT
>> --to-destination 127.0.0.1
>> #drop all traffic to localhost from localhost
>> iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
>> #allow Tor to access hidden service, virtual machine
>> iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT
>> #disallow all external incoming connections
>> sudo iptables -A INPUT -p TCP -j DROP
>>
>> Thanks for any help you all can offer. I know this stuff may seem basic
>> to a lot of people but it's complicated for me and I'm trying to help
>> hidden service operators here who know even less than I.
>>
>> Ringo
>>
>> Kyle Williams wrote:
>>> I believe if you just remove --dport, then everything (all ports) are
>>> assumed.
>>>
>>> On Wed, Aug 19, 2009 at 1:01 PM, Ringo <2600denver at gmail.com> wrote:
>>>
>>>> "I prevent all users other than root from connecting to the Tor Control
>>>> port with an
>>>>> iptables rule which looks like this:
>>>>>
>>>>> iptables -A OUTPUT -o lo -p tcp --dport 9051 -m owner ! --uid-owner
>>>> root -j REJECT"
>>>>
>>>> Thanks! That should work perfectly. Is there any way to make dport a
>>>> wildcard?
>>>>
>>>> Ringo
>>>>
>
More information about the tor-talk
mailing list