[tor-talk] system-wide tor successful
Raviji
raviji157 at gmail.com
Fri Sep 28 12:40:09 UTC 2012
Hello,
I like to share with you all that my system-wide tor is successful.
I am not confident about the benefit of polipo/privoxy ; pdnsd, ttdnsd.
I just use tor and its DNSPort (port 53) without any caching DNS server as well as proxy.
At /etc/resolv.conf set name server to 127.0.0.1
I have configured iptables to route all traffic through tor except lo and lan.
But the lan packets are still dropped. I'm trying to fix it.
Any modification is very much welcome. What tools can be used to test the system
against DNS leak etc.. ? Your ideas are welcome.
iptables -F
iptables -X
iptables -Z
iptables -t nat -Z 2>/dev/null
iptables -t mangle -Z
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Established incoming connections are accepted.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Traffic on the loopback interface is accepted.
iptables -A INPUT -i lo -j ACCEPT
#accept icmp
iptables -A OUTPUT -j ACCEPT -p icmp
# Established outgoing connections are accepted.
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Internal network connections are accepted.
iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
# Local network connections should not go through Tor but DNS shall be
# rejected.
iptables -N lan
iptables -A lan -p TCP --dport domain -j REJECT
iptables -A lan -p UDP --dport domain -j REJECT
iptables -A lan -j ACCEPT
# Sort out traffic to local network
# Note that we exclude the VirtualAddrNetwork used for .onion:s here.
iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan
iptables -t nat -A OUTPUT ! -o lo -p tcp -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp --dport 53 -m state --state NEW -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# Everything else is dropped.
iptables -t filter -A OUTPUT ! -o lan -j DROP
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
# log incomming connection attempts
iptables -A INPUT -p tcp -m tcp -m state --state NEW -j LOG --log-prefix "input(tcp) " -m limit --limit 1/minute
iptables -A INPUT ! -p tcp -j LOG --log-prefix "input(all) " -m limit --limit 1/minute
# some kernel enhancement
# ; ignore broadcast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ; disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# ; enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# ; ignore buggus icmp responses
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# ; ignore all icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# ; ip spoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# ; Log martian
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# Disable proxy_arp.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
# Reduce number of possible SYN Floods
echo "512" >/proc/sys/net/ipv4/tcp_max_syn_backlog
More information about the tor-talk
mailing list