[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] tor breaks after applying firewall



Hello all,

I have install and run tor natively in ubuntu and also set
/etc/resolv.conf to
127.0.0.1 and the dns is running fine.

If I then apply my firewall ping failed and no access to internet.
Moreover tor breaks after some time with the following error

(..)
[notice] Tor has not observed any network activity for the past 71
seconds. Disabling circuit build timeout recording.

[notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving
up. (waiting for circuit)
[notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving
up. (waiting for circuit)
[notice] Tried for 120 seconds to get a connection to [scrubbed]:0. Giving
up. (waiting for circuit)
(..)

Surely it is a iptable issue. I am giving it here. Can anyone suggest what
breaks my access ?

## Flush all
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F

# Reset the iptables counters
iptables -Z
iptables -t nat -Z 2>/dev/null
iptables -t mangle -Z


iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Allow unlimited traffic on the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Internal network connections are accepted.
iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT

#Make sure NEW tcp connections are SYN packets
iptables -A INPUT  -p tcp ! --syn -m state --state NEW -j DROP

# tor
########

# Local network connections should be passed but DNS shall be
# rejected.
iptables -N lan
iptables -A lan -p TCP --dport domain -j REJECT
iptables -A lan -p UDP --dport domain -j REJECT
iptables -A lan -j ACCEPT


iptables -t nat -A OUTPUT ! -o lo -p tcp -m tcp -j REDIRECT --to-ports 9040
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT

iptables -t nat -A OUTPUT -p udp --dport 53 -m state --state NEW -j
REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Everything else is dropped.
iptables -t filter -A OUTPUT ! -o lan -j DROP
}


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk