[tor-talk] system-wide tor successful

Raviji raviji157 at gmail.com
Fri Sep 28 12:40:09 UTC 2012


Hello,

I like to share with you all that my system-wide tor is successful.
I am not confident about the benefit of polipo/privoxy ; pdnsd, ttdnsd.
I just use tor and its DNSPort (port 53)  without any caching DNS server as well as proxy.

At /etc/resolv.conf set name server to 127.0.0.1

I have configured iptables to route all traffic through tor except lo and lan.
But the lan packets are still dropped. I'm trying to fix it.
Any modification is very much welcome. What tools can be used to test the system
against DNS leak etc.. ? Your ideas are welcome.


iptables -F
iptables -X
iptables -Z
iptables -t nat -Z 2>/dev/null
iptables -t mangle -Z
iptables -t nat -F
iptables -t mangle -F

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Established incoming connections are accepted.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Traffic on the loopback interface is accepted.
    iptables -A INPUT -i lo -j ACCEPT

    #accept icmp
    iptables -A OUTPUT -j ACCEPT -p icmp

    # Established outgoing connections are accepted.
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Internal network connections are accepted.
    iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT

    # Local network connections should not go through Tor but DNS shall be
    # rejected.
    iptables -N lan
    iptables -A lan -p TCP --dport domain -j REJECT
    iptables -A lan -p UDP --dport domain -j REJECT
    iptables -A lan -j ACCEPT

    # Sort out traffic to local network
    # Note that we exclude the VirtualAddrNetwork used for .onion:s here.
    iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
    iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
    iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan


iptables -t nat -A OUTPUT ! -o lo -p tcp  -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp --dport 53 -m state --state NEW -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT



    # Everything else is dropped.
    iptables -t filter -A OUTPUT ! -o lan -j DROP
    iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

    # log incomming connection attempts
    iptables -A INPUT -p tcp -m tcp -m state --state NEW -j LOG --log-prefix "input(tcp) " -m limit --limit 1/minute
    iptables -A INPUT ! -p tcp -j LOG --log-prefix "input(all) " -m limit --limit 1/minute

    # some kernel enhancement

    # ; ignore broadcast
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

    # ; disable forwarding
    echo 0 > /proc/sys/net/ipv4/ip_forward

    # ; enable tcp syn cookie protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
    # ; ignore buggus icmp responses
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # ; ignore all icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 

    # ; ip spoofing protection
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $f
    done

    # Don't accept or send ICMP redirects.
    for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
    for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
      echo 0 > $f
    done 

    # ; Log martian
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
      echo 1 > $f
    done

    # Disable proxy_arp.
    for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

    # Reduce number of possible SYN Floods
    echo "512" >/proc/sys/net/ipv4/tcp_max_syn_backlog



More information about the tor-talk mailing list