[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
From: Soul Plane <soulplane11@xxxxxxxxx>
Date: Sat, 29 Mar 2014 01:00:31 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 29 Mar 2014 01:11:41 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=R9Hnfj1Kk/7v6bdXi6zXSa2QAL3NMkeo8FIAFPnO/T0=; b=IjnVZfAfQVcHMzvsimbJx/twdMMFLzXL/4R1+5uaC1P+bOf/eA01Vt+4tbXgI7MhG5 b9hwEKZKy4NDZKKKCL/DjCOXQnmZb5hBxnDJ2+RJ1+ASZoXxPJqDxr5y+XgDT4NPtVXs 8wy5Ozq3GxkmbIU12W5qfN+iCOqx4OwJqeLYiEbpceJZCfjabSTbWP1B1EX3e2CYnfAX 6h32cnwCM5xW2t4S6OLbp1g59jkyFAiBbguGvcBdPmQ8wSXprZaxjSv0+EjAegQVg4Mi +SMc0aOPHd0FQbRFKJkuFVEckvbt2aDZzxaoDaE4XPtGdccjiPpt6F+XvInmWuLeN+rl Q7dg==
In-reply-to: <20140328213458.GE31390@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20140328194312.GD31390@xxxxxxxxxxxxxx> <20140328213458.GE31390@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On Fri, Mar 28, 2014 at 5:34 PM, Mike Perry <mikeperry@xxxxxxxxxxxxxx>wrote:

> Here's a set of rules to try both --ctstate and --state invalid, as well
> as log which ones get hit, for testing purposes. Note the use of -A in
> this case, for readability wrt ordering. These rules should come before
> any other rule in the OUTPUT chain section of the firewall script you
> use:
>
> #iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix
> "Transproxy ctstate leak blocked: " --log-uid
> iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
> iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix
> "Transproxy state leak blocked: " --log-uid
> iptables -A OUTPUT -m state --state INVALID -j DROP
>
> iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
> --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: "
> --log-uid
> iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
> --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: "
> --log-uid
> iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
> --tcp-flags ACK,FIN ACK,FIN -j DROP
> iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
> --tcp-flags ACK,RST ACK,RST -j DROP
>
> It's likely only the first pair is needed, and you may want to comment
> out the --ctstate LOG line as I did to limit noise for successfully
> handled --ctstate INVALID DROP blocks.
>
> I did test this with the above repro method, and --ctstate INVALID did
> appear sufficient by itself, but reports of any --ctstate DROP rule
> bypass happening will be tremendously useful (which will result in the
> later LOG lines being hit, and sending output to 'dmesg').
>
>
I have an Ubuntu middlebox to torify. It uses TransListenAddress,
TransPort. One interface accepts incoming traffic that will be torified.
The connections to the tor network go out on the other interface which can
access the internet unrestricted. I can't find the original directions I
used to set it up. The Torbox page I have commented in my config now says
it's been replaced by Whonix. I tried the wiki there but it doesn't load:
http://sourceforge.net/p/whonix/wiki/ Does what you're saying apply to a
setup like mine? Thanks
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
  - From: elrippo
- Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
  - From: Patrick Schleizer

References:
- [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
  - From: Mike Perry
- Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
  - From: Mike Perry

Prev by Author: Re: [tor-talk] Case examples of people deanonymized while using Tor?
Next by Author: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
Previous by thread: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
Next by thread: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
Index(es):
- Author
- Thread