Tor/Iptables Question

Renato Callado Borges renato.oferenda at gmail.com
Sat Aug 22 00:31:14 UTC 2009


On Fri, Aug 21, 2009 at 08:07:30PM -0400, Ringo wrote:
> "You're dropping all incoming TCP traffic! This must be switched.
> And you should use conntrack (it replaces state)."
> 
> Good point! I gave the following config a test. Here's what --list-rules
> gave me.
> 
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -j DROP
> -A INPUT -p udp -j DROP
> -A INPUT -p icmp -j DROP
> -A OUTPUT -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner torify
> -j ACCEPT
> -A OUTPUT -o lo -p tcp -m tcp --dport 9050 -j ACCEPT
> -A OUTPUT -o lo -p tcp -m tcp --dport 8118 -j ACCEPT
> -A OUTPUT -o lo -p tcp -m tcp --dport 8888 -j ACCEPT
> -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
> --reject-with icmp-port-unreachable
> 
> The main user "user" can browse the internet just fine (yay!) and
> "torify" can't connect to anything (yay!), even privoxy on localhost
> (sad). Unfortunately, no user on the computer can reach privoxy. I
> confirmed it was up and running, and that tor was. A wget using it as a
> proxy just says "connecting" and never gets past that. I also tried
> restarting privoxy/tor just to be sure they weren't flaking and that
> didn't seem to be it.
> 
> Any ideas?

I know this thread has being going on for some time, but I haven't read it before, too busy. If I'm repeating something already said, or ignoring some constraint not present in this latest message, I apologise.

AFAIK, you need to be able to create connections from your machine to itself. You can check this need by running "netstat -tc" on a working torrified browsing session. You should see some "localhost" to "localhost" connections.

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:33435         localhost:8118          ESTABLISHED

These connections, to my knowledge, are done via the loopback interface. So you need this rule:

/sbin/iptables -I INPUT 1 -i lo -j ACCEPT

This rule will go right at the top of the iptables rules (-I = Insert), and it ACCEPTS every packet that enter through your "lo" (loopback) network interface, which is used for internal communications.

Hope it helps.
[]s

> 
> Ringo
> 
> Simon Ruderich wrote:
> > On Thu, Aug 20, 2009 at 09:34:23AM -0400, Ringo wrote:
> >> Ok so I added this one (which seemed like the only one that would open
> >> things up) and still no luck:
> >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>
> >> Here's a export of my current rules:
> >>
> >> # Generated by iptables-save v1.4.1.1 on Thu Aug 20 09:28:22 2009
> >> *filter
> >> :INPUT ACCEPT [9850:7346270]
> >> :FORWARD ACCEPT [0:0]
> >> :OUTPUT ACCEPT [10373:5920044]
> >> -A INPUT -p tcp -j DROP
> >> -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
> >> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > 
> > You're dropping all incoming TCP traffic! This must be switched.
> > And you should use conntrack (it replaces state).
> > 
> >     -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> >     -A INPUT -j DROP
> > 
> > But I'm not sure if this is necessary at all. You could accept
> > all incoming traffic.
> > 
> >> -A OUTPUT -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner torify -j ACCEPT
> >> -A OUTPUT -o lo -p tcp -m tcp --dport 9050 -j ACCEPT
> >> -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT --reject-with icmp-port-unreachable
> >> -A OUTPUT -o lo -p tcp -m tcp --dport 8888 -j ACCEPT
> >> COMMIT
> >>
> >> [snip]
> > 
> > I haven't tested it so I'm not sure it will work.
> > 
> > Hope this helps,
> > Simon

-- 
Renato 字. []'s, RCB.



More information about the tor-talk mailing list