[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor/Iptables Question



On Thu, Aug 20, 2009 at 09:34:23AM -0400, Ringo wrote:
> Ok so I added this one (which seemed like the only one that would open
> things up) and still no luck:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Here's a export of my current rules:
>
> # Generated by iptables-save v1.4.1.1 on Thu Aug 20 09:28:22 2009
> *filter
> :INPUT ACCEPT [9850:7346270]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [10373:5920044]
> -A INPUT -p tcp -j DROP
> -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

You're dropping all incoming TCP traffic! This must be switched.
And you should use conntrack (it replaces state).

    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j DROP

But I'm not sure if this is necessary at all. You could accept
all incoming traffic.

> -A OUTPUT -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner torify -j ACCEPT
> -A OUTPUT -o lo -p tcp -m tcp --dport 9050 -j ACCEPT
> -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o lo -p tcp -m tcp --dport 8888 -j ACCEPT
> COMMIT
>
> [snip]

I haven't tested it so I'm not sure it will work.

Hope this helps,
Simon
-- 
+ privacy is necessary
+ using http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature