[tor-talk] iptables rules
CJ
tor at tengu.ch
Wed Oct 22 04:40:34 UTC 2014
woops, didn't see the last row mentioning debian-tor user, my bad :(
good to know about ntp, I'll add it to my own stuff later.
Sorry for the noise, being sick doesn't help much reading iptables rules :/
On 10/21/2014 07:57 PM, elrippo wrote:
> Hmmm, at point 5.f.) that's exactly what i propose. Please do not forget
> to let your relay do the NTP without TOR, becuase of the latency.
>
> Read down below....
>
>
>
> ---------------------------------------------------------------------------------------------------
>
>
>
> f.) Now let's configure our second scenario, where the middlebox is
> handing over to Tor, acting as an ExitRelay and the traffic of the
> router is also handed to Tor.
>
> /etc/tor/torrc
>
> VirtualAddrNetworkIPv4 172.16.0.0/12
>
> TransPort 9040
>
> TransPort 192.168.100.1:9040
>
> TransPort 192.168.200.1:9040
>
> AutomapHostsOnResolve 1
>
> DNSPort 9053
>
> DNSPort 192.168.100.1:9053
>
> DNSPort 192.168.200.1:9053
>
> SocksPort 127.0.0.1:9050
>
> ControlPort 9051
>
> HashedControlPassword 16:somewilddigitsofsomekindofnumbers
>
> ORPort 9001
>
> Nickname PickYourNicknameLikeCounterNSAServer
>
> ContactInfo Random Person somename at somedomain.tld
>
> DirPort 9030
>
> DirPortFrontPage /path/to/your/tor-exit-notice.html
>
> ExitPolicy accept *:22,accept *:80,accept *:443,reject *:*
>
> /etc/firewall/tor-only.bash
>
> #!/bin/bash
>
> modprobe ip_tables
>
> modprobe ip_nat_ftp
>
> modprobe ip_nat_irc
>
> modprobe ip_conntrack
>
> modprobe ip_conntrack_irc
>
> modprobe ip_conntrack_ftp
>
> modprobe ip_nat_ftp
>
> modprobe ipt_limit
>
> modprobe ipt_multiport
>
> modprobe iptable_mangle
>
> modprobe ipt_state
>
> modprobe iptable_filter
>
> modprobe iptable_nat
>
> modprobe ipt_REJECT
>
> modprobe ipt_LOG
>
> modprobe xt_recent
>
> modprobe ipt_mac
>
> ####################################################################
>
> # Remove all rules
>
> iptables -F
>
> iptables -X
>
> iptables -t nat -F
>
> ####################################################################
>
> # First set the default behaviour
>
> iptables -P INPUT DROP
>
> iptables -P OUTPUT DROP
>
> iptables -P FORWARD DROP
>
> ####################################################################
>
> ################################################################################
>
> # INPUT INCOMMING rules for ALL INTERFACES #
>
> ################################################################################
>
> # ALLOW ESTABLISHED and RELATED incoming connections
>
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ################################################################################
>
> # OUTPUT OUTGOING rules for ALL INTERFACES #
>
> ################################################################################
>
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A OUTPUT -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ################################################################################
>
> # ALLOW self communication
>
> iptables -A INPUT -i lo -j ACCEPT
>
> iptables -A OUTPUT -o lo -j ACCEPT
>
> ################################################################################
>
> # ALLOW incomming connections on our internal interfaces
>
> iptables -A INPUT -i eth1 -j ACCEPT
>
> iptables -A INPUT -i wlan0 -j ACCEPT
>
> iptables -t nat -A PREROUTING -i eth1 -p udp -m udp --dport 123 -j
> REDIRECT --to-ports 123
>
> iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j REDIRECT
> --to-ports 9053
>
> iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -j REDIRECT
> --to-ports 9040
>
> iptables -t nat -A PREROUTING -i wlan0 -p udp -m udp --dport 123 -j
> REDIRECT --to-ports 123
>
> iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT
> --to-ports 9053
>
> iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT
> --to-ports 9040
>
> iptables -t nat -A OUTPUT -o lo -j RETURN
>
> iptables -t nat -A OUTPUT -m owner --uid-owner "debian-tor" -j RETURN
>
> iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 9053
>
> iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
>
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A OUTPUT -m owner --uid-owner "debian-tor" -j ACCEPT
>
> for NET in 127.0.0.0/8; do
>
> iptables -A OUTPUT -d $NET -j ACCEPT
>
> done
>
> iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
>
> iptables -A OUTPUT -j REJECT
>
> Make this script executable and load it on system start. This script
> assumes that the Tor instance is also started at system start
>
> I hope you had some fun anonyminizing your traffic :D
>
> Read you later ;)
>
>
> ---------------------------------------------------------------------------------------------------
>
>
>
> On Dienstag, 21. Oktober 2014, 07:41:15 CJ wrote:
>
>>
>
>> On 10/20/2014 06:09 PM, Elrippo wrote:
>
>> > Try https://elrippoisland.net/public/how_to/anonymity.html
>
>>
>
>> hmm, there are some issues with the proposed iptables rules…
>
>> I'd rather read Mike's blog post[1] and take his scripts in order to
>
>> lock OUTPUT chain for good, allowing only debian-tor user traffic to go
>
>> out. Sadly you won't be able to filter out traffic as on Android, as
>
>> most of the application will run with your own user. But Tor does have
>
>> his dedicated user, so some magic is still possible in order to prevent
>
>> any leak.
>
>>
>
>> Something like that *should* be OK:
>
>>
>
>> # lock down network
>
>> $ipt -P OUTPUT DROP
>
>> $ipt -P INPUT DROP
>
>> $ipt -P FORWARD DROP
>
>>
>
>> # allow local connections
>
>> $ipt -I OUTPUT -o lo -j ACCEPT
>
>> $ipt -I INPUT -i lo -j ACCEPT
>
>> # allow debian-tor outputs
>
>> $ipt -I OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
>
>> # allow related/established incoming
>
>> $ipt -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>>
>
>> # redirect DNS traffic
>
>> $ipt -t nat -I PREROUTING ! -i lo -p udp --dport 53 -j REDIRECT
>
>> --to-ports $DNSPROXY
>
>> # redirect tcp to transproxy
>
>> $ipt -t nat -I PREROUTING ! -i lo -p tcp --syn -j REDIRECT --to-ports
>
>> $TRANSPROXY
>
>>
>
>> more or less. I don't have the whole stuff in head, and my script is at
>
>> home.
>
>>
>
>> Use with care, as it might as well lock you out ;).
>
>> You should add the DNSProxy and TransProxy settings as well in your torrc.
>
>>
>
>> Cheers,
>
>>
>
>> C.
>
>>
>
>> [1]
>
>>
> https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
>
>>
>
>> >
>
>> > Am 20. Oktober 2014 17:52:18 MESZ, schrieb Robert Watson
> <robert at gillecaluim.com>:
>
>> >> could someone please clarify a question I have about configuring tor &
>
>> >> iptables. I'm using a dual nic centos server with squid/privoxy/tor
>
>> >> behind
>
>> >> a ISP router. My internet nic (eth0) gets a dhcp address so I wasn't
>
>> >> sure
>
>> >> how to set SocksBindAddress to the eth0 address? Is there a
>
>> >> SocksBindAdapter setting available?
>
>> >> My tor.conf:
>
>> >> *SocksPort 9150 #privoxy socks5 port*
>
>> >
>
>> >> *SocksBindAddress 127.0.0.1*
>
>> >> *SocksPolicy accept 127.0.0.1*
>
>> >> *SocksPolicy reject **
>
>> >> *AllowUnverifiedNodes middle,rendezvous*
>
>> >> *Log notice syslog*
>
>> >> *RunAsDaemon 1*
>
>> >> *User tor*
>
>> >> *CircuitBuildTimeout 30*
>
>> >> *NumEntryGuards 6*
>
>> >> *KeepalivePeriod 60*
>
>> >> *NewCircuitPeriod 15*
>
>> >> *DataDirectory /var/lib/tor*
>
>> >> *PidFile /var/run/tor/tor.pid*
>
>> >> *Log notice file /var/log/tor/tor.log*
>
>> >
>
>> >> I was thinking I would have to forward eth0:9050 to lo:9050 with these
>
>> >> rules:
>
>> >> *-A FORWARD -i lo -o eth0 -p tcp --dport 9050 -j ACCEPT*
>
>> >> *-A FORWARD -i eth0 -o lo -m state --state ESTABLISHED,RELATED -j
>
>> >> ACCEPT*
>
>> >
>
>> >> Any advice would be appreciated.
>
>> >> Robert
>
>> >> --
>
>> >> tor-talk mailing list - tor-talk at lists.torproject.org
>
>> >> To unsubscribe or change other settings go to
>
>> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>> >
>
>> >
>
>>
>
>>
>
>
>
> --
>
> We don't bubble you, we don't spoof you ;)
>
> Keep your data encrypted!
>
> Log you soon,
>
> your Admin
>
> elrippo at elrippoisland.net
>
>
>
> Encrypted messages are welcome.
>
> 0x84DF1F7E6AE03644
>
>
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> Version: GnuPG v1.4.11 (GNU/Linux)
>
>
>
> mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd
>
> BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb
>
> UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+
>
> B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5
>
> Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R
>
> 9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs
>
> e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9
>
> jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h
>
> q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z
>
> +rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI
>
> KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB
>
> tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs
>
> cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL
>
> BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7
>
> uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd
>
> U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW
>
> oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s
>
> IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb
>
> BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI
>
> kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/
>
> axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM
>
> XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi
>
> dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ
>
> qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU
>
> 1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY
>
> s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz
>
> f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc
>
> ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich
>
> O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt
>
> 7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5
>
> KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB
>
> FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN
>
> LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv
>
> 5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ
>
> MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos
>
> UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC
>
> AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo
>
> N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L
>
> WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs
>
> 9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj
>
> 1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW
>
> r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU
>
> 3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T
>
> An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr
>
> 9czR7kbpnXRwchgwXQn306NVWf37TgA8wpbnFTazZ38iOeqcb9oKprqnbgEdr3PN
>
> OhKSlMTkzAqf3MEi2Fyua4BADMhS3oBwCRgDTlt6wquEytpNSlZaHnyiyIgOpekF
>
> Uy5K3w8NhHqeifRPrNb/UcCbXtXz+puqIEZHMenpv6FRlTTKpdoHoVXSkp1TPMGN
>
> /VaCiLbP4Z3xEw/9EbAJJkhmmx1Qw3ueoqc4h1MmhUtIdxSZ/oA9SjwlnY++zvaZ
>
> 6w1wTS4P+OUkETNDtItdpxXMJ9qfSy9voAQc2K43WMZCCmpPJYSdqaZZNPFj+Ne8
>
> 6FNtNKuUkXREybpHwlVAXnHzInmFOOM9RAmF70r3zEmKt77W1ztBLo2o9X79gPgL
>
> u9ThgrH6Oc2k46n+9nc3joccr7miiX/bp976DNWcWdOYThiSSOCb8Zw9/Zs935i1
>
> wUVkYTj24tmBH4H5ov9ib7RPmU21ru458RbUKG0ONAqBtAHNyXHzUnXsrke+D4VW
>
> MI06YcXSk8YeYgQ8GxgHQc+W2bb8LIbKN1hEYJ0wzM62vKR2/Oiwuf8lXutIKTuz
>
> +v7Vj1PQd66DGHsxtWRaWnr1c54JTL2wICHJYKFH4grp7864+GL/uQ1O/Z/XxVku
>
> E1JQ/AnwBGU1M1S6otwWGWVRjzEzQtxsfcCEPvV/9td3FIFQAbGTPb+48XFU+TY9
>
> 8AlcXBlDzXq7c5f8Evn/oSIsZDt63K4HNTmMGqOTl/p1aA0e4eyX76LczY06rDP5
>
> GMSNs+AHmYgZiS4RYhRUIvS9uLXMnnDAMYst0SDl2orDUUeHBTzu0rchyknBZMGP
>
> p5wQuWQ9CFlV+dj3UYbrBwC1lTkAMXRG2vlhA0V0TZqos7A5D4VHgSUQQjE=
>
> =otlL
>
> -----END PGP PUBLIC KEY BLOCK-----
>
>
>
More information about the tor-talk
mailing list