[tor-talk] Tor and iptables.

Jason Long hack3rcon at yahoo.com
Mon Dec 12 06:38:14 UTC 2016


My iptables rules are :
*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED-A INPUT -i lo -j ACCEPT#-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP-A INPUT -j REJECT --reject-with icmp-port-unreachable-A INPUT -i lo -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -s 10.0.0.0/8 -j DROP-A INPUT -s 169.254.0.0/16 -j DROP-A INPUT -s 172.16.0.0/12 -j DROP-A INPUT -s 127.0.0.0/8 -j DROP-A INPUT -s 192.168.0.0/24 -j DROP-A INPUT -s 224.0.0.0/4 -j DROP-A INPUT -d 224.0.0.0/4 -j DROP-A INPUT -s 240.0.0.0/5 -j DROP-A INPUT -d 240.0.0.0/5 -j DROP-A INPUT -s 0.0.0.0/8 -j DROP-A INPUT -d 0.0.0.0/8 -j DROP-A INPUT -d 239.255.255.0/24 -j DROP-A INPUT -d 255.255.255.255/32 -j DROP-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP-A INPUT -p icmp -m icmp --icmp-type 13 -m limit --limit 1/sec -j ACCEPT-A INPUT -m state --state INVALID -j DROP-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-port-unreachable-A FORWARD -j REJECT --reject-with icmp-port-unreachable-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP-A FORWARD -m state --state INVALID -j DROP-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP-A FORWARD -j REJECT --reject-with icmp-port-unreachable-A OUTPUT -j ACCEPT-A OUTPUT -m state --state INVALID -j DROP-A OUTPUT -o lo -j ACCEPT-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A OUTPUT -j REJECT --reject-with icmp-port-unreachable-A OUTPUT -j ACCEPT -m state --state RELATED,ESTABLISHEDCOMMIT
What is my problem? Why I can't use "obfs4" ? 

    On Sunday, December 11, 2016 10:33 PM, Mirimir <mirimir at riseup.net> wrote:
 

 On 12/10/2016 07:16 AM, Jason Long wrote:
> Hello.
> I like to close all INPUT connections via iptables but I like to use TorBrowser, Then Which port(s) must be open?
> 
> -A OUTPUT -p tcp -m tcp --dport 9151 -j ACCEPT
> 
> 
> Is it enough? How about "INPUT"? Must I open any input port too?
> 
> Thank you.

You only need to allow input and output for the tor process. And input
for SSH, if you need that. Plus related/established, of course.

In Debian, run "id -u debian-tor". Then use that number (typically 108)
in an output rule. Tor input is allowed by related/established.

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m owner --uid-owner 108 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP

-- 
tor-talk mailing list - tor-talk at lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


   


More information about the tor-talk mailing list