[tor-talk] iptables rules

CJ tor at tengu.ch
Wed Oct 22 04:40:34 UTC 2014


woops, didn't see the last row mentioning debian-tor user, my bad :(

good to know about ntp, I'll add it to my own stuff later.

Sorry for the noise, being sick doesn't help much reading iptables rules :/

On 10/21/2014 07:57 PM, elrippo wrote:
> Hmmm, at point 5.f.) that's exactly what i propose. Please do not forget
> to let your relay do the NTP without TOR, becuase of the latency.
> 
> Read down below....
> 
>  
> 
> ---------------------------------------------------------------------------------------------------
> 
>  
> 
> f.) Now let's configure our second scenario, where the middlebox is
> handing over to Tor, acting as an ExitRelay and the traffic of the
> router is also handed to Tor.
> 
> /etc/tor/torrc
> 
> VirtualAddrNetworkIPv4 172.16.0.0/12
> 
> TransPort 9040
> 
> TransPort 192.168.100.1:9040
> 
> TransPort 192.168.200.1:9040
> 
> AutomapHostsOnResolve 1
> 
> DNSPort 9053
> 
> DNSPort 192.168.100.1:9053
> 
> DNSPort 192.168.200.1:9053
> 
> SocksPort 127.0.0.1:9050
> 
> ControlPort 9051
> 
> HashedControlPassword 16:somewilddigitsofsomekindofnumbers
> 
> ORPort 9001
> 
> Nickname PickYourNicknameLikeCounterNSAServer
> 
> ContactInfo Random Person somename at somedomain.tld
> 
> DirPort 9030
> 
> DirPortFrontPage /path/to/your/tor-exit-notice.html
> 
> ExitPolicy accept *:22,accept *:80,accept *:443,reject *:*
> 
> /etc/firewall/tor-only.bash
> 
> #!/bin/bash
> 
> modprobe ip_tables
> 
> modprobe ip_nat_ftp
> 
> modprobe ip_nat_irc
> 
> modprobe ip_conntrack
> 
> modprobe ip_conntrack_irc
> 
> modprobe ip_conntrack_ftp
> 
> modprobe ip_nat_ftp
> 
> modprobe ipt_limit
> 
> modprobe ipt_multiport
> 
> modprobe iptable_mangle
> 
> modprobe ipt_state
> 
> modprobe iptable_filter
> 
> modprobe iptable_nat
> 
> modprobe ipt_REJECT
> 
> modprobe ipt_LOG
> 
> modprobe xt_recent
> 
> modprobe ipt_mac
> 
> ####################################################################
> 
> # Remove all rules
> 
> iptables -F
> 
> iptables -X
> 
> iptables -t nat -F
> 
> ####################################################################
> 
> # First set the default behaviour
> 
> iptables -P INPUT DROP
> 
> iptables -P OUTPUT DROP
> 
> iptables -P FORWARD DROP
> 
> ####################################################################
> 
> ################################################################################
> 
> # INPUT INCOMMING rules for ALL INTERFACES #
> 
> ################################################################################
> 
> # ALLOW ESTABLISHED and RELATED incoming connections
> 
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> ################################################################################
> 
> # OUTPUT OUTGOING rules for ALL INTERFACES #
> 
> ################################################################################
> 
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A OUTPUT -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> ################################################################################
> 
> # ALLOW self communication
> 
> iptables -A INPUT -i lo -j ACCEPT
> 
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> ################################################################################
> 
> # ALLOW incomming connections on our internal interfaces
> 
> iptables -A INPUT -i eth1 -j ACCEPT
> 
> iptables -A INPUT -i wlan0 -j ACCEPT
> 
> iptables -t nat -A PREROUTING -i eth1 -p udp -m udp --dport 123 -j
> REDIRECT --to-ports 123
> 
> iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j REDIRECT
> --to-ports 9053
> 
> iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -j REDIRECT
> --to-ports 9040
> 
> iptables -t nat -A PREROUTING -i wlan0 -p udp -m udp --dport 123 -j
> REDIRECT --to-ports 123
> 
> iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT
> --to-ports 9053
> 
> iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT
> --to-ports 9040
> 
> iptables -t nat -A OUTPUT -o lo -j RETURN
> 
> iptables -t nat -A OUTPUT -m owner --uid-owner "debian-tor" -j RETURN
> 
> iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 9053
> 
> iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
> 
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A OUTPUT -m owner --uid-owner "debian-tor" -j ACCEPT
> 
> for NET in 127.0.0.0/8; do
> 
> iptables -A OUTPUT -d $NET -j ACCEPT
> 
> done
> 
> iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
> 
> iptables -A OUTPUT -j REJECT
> 
> Make this script executable and load it on system start. This script
> assumes that the Tor instance is also started at system start
> 
> I hope you had some fun anonyminizing your traffic :D
> 
> Read you later ;)
> 
> 
> ---------------------------------------------------------------------------------------------------
> 
>  
> 
> On Dienstag, 21. Oktober 2014, 07:41:15 CJ wrote:
> 
>>
> 
>> On 10/20/2014 06:09 PM, Elrippo wrote:
> 
>> > Try https://elrippoisland.net/public/how_to/anonymity.html
> 
>>
> 
>> hmm, there are some issues with the proposed iptables rules…
> 
>> I'd rather read Mike's blog post[1] and take his scripts in order to
> 
>> lock OUTPUT chain for good, allowing only debian-tor user traffic to go
> 
>> out. Sadly you won't be able to filter out traffic as on Android, as
> 
>> most of the application will run with your own user. But Tor does have
> 
>> his dedicated user, so some magic is still possible in order to prevent
> 
>> any leak.
> 
>>
> 
>> Something like that *should* be OK:
> 
>>
> 
>> # lock down network
> 
>> $ipt -P OUTPUT DROP
> 
>> $ipt -P INPUT DROP
> 
>> $ipt -P FORWARD DROP
> 
>>
> 
>> # allow local connections
> 
>> $ipt -I OUTPUT -o lo -j ACCEPT
> 
>> $ipt -I INPUT -i lo -j ACCEPT
> 
>> # allow debian-tor outputs
> 
>> $ipt -I OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
> 
>> # allow related/established incoming
> 
>> $ipt -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
>>
> 
>> # redirect DNS traffic
> 
>> $ipt -t nat -I PREROUTING ! -i lo -p udp --dport 53 -j REDIRECT
> 
>> --to-ports $DNSPROXY
> 
>> # redirect tcp to transproxy
> 
>> $ipt -t nat -I PREROUTING ! -i lo -p tcp --syn -j REDIRECT --to-ports
> 
>> $TRANSPROXY
> 
>>
> 
>> more or less. I don't have the whole stuff in head, and my script is at
> 
>> home.
> 
>>
> 
>> Use with care, as it might as well lock you out ;).
> 
>> You should add the DNSProxy and TransProxy settings as well in your torrc.
> 
>>
> 
>> Cheers,
> 
>>
> 
>> C.
> 
>>
> 
>> [1]
> 
>>
> https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
> 
>>
> 
>> >
> 
>> > Am 20. Oktober 2014 17:52:18 MESZ, schrieb Robert Watson
> <robert at gillecaluim.com>:
> 
>> >> could someone please clarify a question I have about configuring tor &
> 
>> >> iptables. I'm using a dual nic centos server with squid/privoxy/tor
> 
>> >> behind
> 
>> >> a ISP router. My internet nic (eth0) gets a dhcp address so I wasn't
> 
>> >> sure
> 
>> >> how to set SocksBindAddress to the eth0 address? Is there a
> 
>> >> SocksBindAdapter setting available?
> 
>> >> My tor.conf:
> 
>> >> *SocksPort 9150 #privoxy socks5 port*
> 
>> >
> 
>> >> *SocksBindAddress 127.0.0.1*
> 
>> >> *SocksPolicy accept 127.0.0.1*
> 
>> >> *SocksPolicy reject **
> 
>> >> *AllowUnverifiedNodes middle,rendezvous*
> 
>> >> *Log notice syslog*
> 
>> >> *RunAsDaemon 1*
> 
>> >> *User tor*
> 
>> >> *CircuitBuildTimeout 30*
> 
>> >> *NumEntryGuards 6*
> 
>> >> *KeepalivePeriod 60*
> 
>> >> *NewCircuitPeriod 15*
> 
>> >> *DataDirectory /var/lib/tor*
> 
>> >> *PidFile /var/run/tor/tor.pid*
> 
>> >> *Log notice file /var/log/tor/tor.log*
> 
>> >
> 
>> >> I was thinking I would have to forward eth0:9050 to lo:9050 with these
> 
>> >> rules:
> 
>> >> *-A FORWARD -i lo -o eth0 -p tcp --dport 9050 -j ACCEPT*
> 
>> >> *-A FORWARD -i eth0 -o lo -m state --state ESTABLISHED,RELATED -j
> 
>> >> ACCEPT*
> 
>> >
> 
>> >> Any advice would be appreciated.
> 
>> >> Robert
> 
>> >> --
> 
>> >> tor-talk mailing list - tor-talk at lists.torproject.org
> 
>> >> To unsubscribe or change other settings go to
> 
>> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 
>> >
> 
>> >
> 
>>
> 
>>
> 
>  
> 
> -- 
> 
> We don't bubble you, we don't spoof you ;)
> 
> Keep your data encrypted!
> 
> Log you soon,
> 
> your Admin
> 
> elrippo at elrippoisland.net
> 
>  
> 
> Encrypted messages are welcome.
> 
> 0x84DF1F7E6AE03644
> 
>  
> 
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> 
> Version: GnuPG v1.4.11 (GNU/Linux)
> 
>  
> 
> mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd
> 
> BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb
> 
> UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+
> 
> B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5
> 
> Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R
> 
> 9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs
> 
> e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9
> 
> jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h
> 
> q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z
> 
> +rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI
> 
> KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB
> 
> tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs
> 
> cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL
> 
> BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7
> 
> uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd
> 
> U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW
> 
> oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s
> 
> IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb
> 
> BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI
> 
> kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/
> 
> axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM
> 
> XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi
> 
> dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ
> 
> qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU
> 
> 1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY
> 
> s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz
> 
> f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc
> 
> ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich
> 
> O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt
> 
> 7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5
> 
> KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB
> 
> FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN
> 
> LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv
> 
> 5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ
> 
> MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos
> 
> UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC
> 
> AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo
> 
> N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L
> 
> WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs
> 
> 9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj
> 
> 1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW
> 
> r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU
> 
> 3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T
> 
> An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr
> 
> 9czR7kbpnXRwchgwXQn306NVWf37TgA8wpbnFTazZ38iOeqcb9oKprqnbgEdr3PN
> 
> OhKSlMTkzAqf3MEi2Fyua4BADMhS3oBwCRgDTlt6wquEytpNSlZaHnyiyIgOpekF
> 
> Uy5K3w8NhHqeifRPrNb/UcCbXtXz+puqIEZHMenpv6FRlTTKpdoHoVXSkp1TPMGN
> 
> /VaCiLbP4Z3xEw/9EbAJJkhmmx1Qw3ueoqc4h1MmhUtIdxSZ/oA9SjwlnY++zvaZ
> 
> 6w1wTS4P+OUkETNDtItdpxXMJ9qfSy9voAQc2K43WMZCCmpPJYSdqaZZNPFj+Ne8
> 
> 6FNtNKuUkXREybpHwlVAXnHzInmFOOM9RAmF70r3zEmKt77W1ztBLo2o9X79gPgL
> 
> u9ThgrH6Oc2k46n+9nc3joccr7miiX/bp976DNWcWdOYThiSSOCb8Zw9/Zs935i1
> 
> wUVkYTj24tmBH4H5ov9ib7RPmU21ru458RbUKG0ONAqBtAHNyXHzUnXsrke+D4VW
> 
> MI06YcXSk8YeYgQ8GxgHQc+W2bb8LIbKN1hEYJ0wzM62vKR2/Oiwuf8lXutIKTuz
> 
> +v7Vj1PQd66DGHsxtWRaWnr1c54JTL2wICHJYKFH4grp7864+GL/uQ1O/Z/XxVku
> 
> E1JQ/AnwBGU1M1S6otwWGWVRjzEzQtxsfcCEPvV/9td3FIFQAbGTPb+48XFU+TY9
> 
> 8AlcXBlDzXq7c5f8Evn/oSIsZDt63K4HNTmMGqOTl/p1aA0e4eyX76LczY06rDP5
> 
> GMSNs+AHmYgZiS4RYhRUIvS9uLXMnnDAMYst0SDl2orDUUeHBTzu0rchyknBZMGP
> 
> p5wQuWQ9CFlV+dj3UYbrBwC1lTkAMXRG2vlhA0V0TZqos7A5D4VHgSUQQjE=
> 
> =otlL
> 
> -----END PGP PUBLIC KEY BLOCK-----
> 
>  
> 


More information about the tor-talk mailing list