[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and iptables.



On 12/12/2016 03:35 AM, Jason Long wrote:
> can anyone edit my rules and tell me what is my problem? 

You asked "What is my problem? Why I can't use "obfs4" ?"

The problem, I think, is that you reject everything ...

-A OUTPUT -j REJECT --reject-with icmp-port-unreachable

... before allowing Tor traffic. So Tor can't connect.

Unless you run Tor as a specific user, there's no elegant way to
restrict output. You could have a rule allowing output to directory
servers and your bridges. Beyond authorities, I'm not sure how many
directory servers you'd need. Maybe some kind person can provide a
minimal list of directory server IPs.

Also, there's no need to allow any input, except loopback and
related/established. Because Tor is handling everything. So with Tor
running as user, just use this:

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

COMMIT

If you want to add output rules for Tor servers, and block all other
output (which is good to prevent leaks):

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d w.x.y.z -j ACCEPT #repeat for all needed servers
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP

COMMIT

And if you run Tor with a special user with uid foo:

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m owner --uid-owner foo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP

COMMIT

>     On Monday, December 12, 2016 1:23 AM, Jonathan Marquardt <mail@xxxxxxxxxxxx> wrote:
>  
> 
>  On Mon, Dec 12, 2016 at 01:52:22AM -0700, Mirimir wrote:
>> Sorry about missing the typo in my initial reply. It _was_ an invalid
>> rule. But accepting lo is necessary with default deny, right?
> 
> Yes, sorry, you're right. My bad.
> 
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk