[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor/Iptables Question



"You're dropping all incoming TCP traffic! This must be switched.
And you should use conntrack (it replaces state)."

Good point! I gave the following config a test. Here's what --list-rules
gave me.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP
-A INPUT -p icmp -j DROP
-A OUTPUT -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner torify
-j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 9050 -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 8118 -j ACCEPT
-A OUTPUT -o lo -p tcp -m tcp --dport 8888 -j ACCEPT
-A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
--reject-with icmp-port-unreachable

The main user "user" can browse the internet just fine (yay!) and
"torify" can't connect to anything (yay!), even privoxy on localhost
(sad). Unfortunately, no user on the computer can reach privoxy. I
confirmed it was up and running, and that tor was. A wget using it as a
proxy just says "connecting" and never gets past that. I also tried
restarting privoxy/tor just to be sure they weren't flaking and that
didn't seem to be it.

Any ideas?

Ringo

Simon Ruderich wrote:
> On Thu, Aug 20, 2009 at 09:34:23AM -0400, Ringo wrote:
>> Ok so I added this one (which seemed like the only one that would open
>> things up) and still no luck:
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> Here's a export of my current rules:
>>
>> # Generated by iptables-save v1.4.1.1 on Thu Aug 20 09:28:22 2009
>> *filter
>> :INPUT ACCEPT [9850:7346270]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [10373:5920044]
>> -A INPUT -p tcp -j DROP
>> -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> You're dropping all incoming TCP traffic! This must be switched.
> And you should use conntrack (it replaces state).
> 
>     -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>     -A INPUT -j DROP
> 
> But I'm not sure if this is necessary at all. You could accept
> all incoming traffic.
> 
>> -A OUTPUT -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner torify -j ACCEPT
>> -A OUTPUT -o lo -p tcp -m tcp --dport 9050 -j ACCEPT
>> -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT --reject-with icmp-port-unreachable
>> -A OUTPUT -o lo -p tcp -m tcp --dport 8888 -j ACCEPT
>> COMMIT
>>
>> [snip]
> 
> I haven't tested it so I'm not sure it will work.
> 
> Hope this helps,
> Simon