[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor/Iptables Question

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Tor/Iptables Question
From: Ringo <2600denver@xxxxxxxxx>
Date: Thu, 20 Aug 2009 07:55:50 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Thu, 20 Aug 2009 07:56:37 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=+SXoVcFussOZLNwNBLE7y1HgmEgCp074I9KOE3f7VYI=; b=VZUfbgtVkX7gXF52LK3m6Zegfn5MvQpeydjRdrRsvOk4Z4oBUyrDC/OxxCZ8Dc2aqh OYokDt5O6yzZlyksdHdjZ2VcUhAOuzZWwgJ3fAU8OnIstXKfPN+0nLI8QNhRn/E680jL WdPtGxQE39deraCQ1Z+JzXCHZCAM1imlm6sbw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=Kk1+UZO/ihmTaeJB6VeOGSxLAJqFimrQcQ5sodqpvTX1Wo3Ap9eiS6X5g/fukhhzlZ 7PG4SBe2lHS0dP1AIVCgPiYgGbdaytlnFrv9sQU46HVNUdkWo3k5buuK+pxFRBtzd0CE k27CW2GhgYPd+kAG/FNNnSXTa7N8/mZlfkCp4=
In-reply-to: <21f144250908191648h33d619bcic2ba4036d25bfd5@xxxxxxxxxxxxxx>
References: <4a8beb58.0707d00a.5e4a.2230@xxxxxxxxxxxxx> <4A8C5A18.8070603@xxxxxxxxx> <21f144250908191648h33d619bcic2ba4036d25bfd5@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.21 (X11/20090318)

I've run into a problem. My model is that a user "torify" has all
traffic forwarded to localhost. From there, it should all be dropped
except connections to privoxy (port 8118). It all works up until the
last iptables command. I assume this is blocking all incoming traffic,
including traffic I've initiated, but I could be interpreting it wrong.
I can't connect to any websites, but I can send requests out. Is there
anything obvious I'm missing or a something I should add?

#allow connections to privoxy
iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify
-j ACCEPT
#allow connections to Tor
iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT
#re-route all outbound traffic to localhost
iptables -t nat -A OUTPUT -m owner --uid-owner torify -j DNAT
--to-destination 127.0.0.1
#drop all traffic to localhost from localhost
iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
#allow Tor to access hidden service, virtual machine
iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT
#disallow all external incoming connections
sudo iptables -A INPUT -p TCP -j DROP

Thanks for any help you all can offer. I know this stuff may seem basic
to a lot of people but it's complicated for me and I'm trying to help
hidden service operators here who know even less than I.

Ringo

Kyle Williams wrote:
> I believe if you just remove --dport, then everything (all ports) are
> assumed.
> 
> On Wed, Aug 19, 2009 at 1:01 PM, Ringo <2600denver@xxxxxxxxx> wrote:
> 
>> "I prevent all users other than root from connecting to the Tor Control
>> port with an
>>> iptables rule which looks like this:
>>>
>>> iptables -A OUTPUT -o lo -p tcp --dport 9051 -m owner ! --uid-owner
>> root -j REJECT"
>>
>> Thanks! That should work perfectly. Is there any way to make dport a
>> wildcard?
>>
>> Ringo
>>
>

Follow-Ups:
- Re: Tor/Iptables Question
  - From: coderman
- Re: Tor/Iptables Question
  - From: Kyle Williams

References:
- Re: Tor/Iptables Question
  - From: Erilenz
- Re: Tor/Iptables Question
  - From: Ringo
- Re: Tor/Iptables Question
  - From: Kyle Williams

Prev by Author: Re: Roger's HAR2009 talk on Tor performance
Next by Author: Re: Tor/Iptables Question
Previous by thread: Re: Tor/Iptables Question
Next by thread: Re: Tor/Iptables Question
Index(es):
- Author
- Thread