[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] iptables rules




On 10/20/2014 06:09 PM, Elrippo wrote:
> Try https://elrippoisland.net/public/how_to/anonymity.html

hmm, there are some issues with the proposed iptables rulesâ
I'd rather read Mike's blog post[1] and take his scripts in order to
lock OUTPUT chain for good, allowing only debian-tor user traffic to go
out. Sadly you won't be able to filter out traffic as on Android, as
most of the application will run with your own user. But Tor does have
his dedicated user, so some magic is still possible in order to prevent
any leak.

Something like that *should* be OK:

# lock down network
$ipt -P OUTPUT DROP
$ipt -P INPUT DROP
$ipt -P FORWARD DROP

# allow local connections
$ipt -I OUTPUT -o lo -j ACCEPT
$ipt -I INPUT -i lo -j ACCEPT
# allow debian-tor outputs
$ipt -I OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
# allow related/established incoming
$ipt -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# redirect DNS traffic
$ipt -t nat -I PREROUTING ! -i lo -p udp --dport 53 -j REDIRECT
--to-ports $DNSPROXY
# redirect tcp to transproxy
$ipt -t nat -I PREROUTING ! -i lo -p tcp --syn -j REDIRECT --to-ports
$TRANSPROXY

more or less. I don't have the whole stuff in head, and my script is at
home.

Use with care, as it might as well lock you out ;).
You should add the DNSProxy and TransProxy settings as well in your torrc.

Cheers,

C.

[1]
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy

> 
> Am 20. Oktober 2014 17:52:18 MESZ, schrieb Robert Watson <robert@xxxxxxxxxxxxxxx>:
>> could someone please clarify a question I have about configuring tor &
>> iptables.  I'm using a dual nic centos server with squid/privoxy/tor
>> behind
>> a ISP router.  My internet nic (eth0) gets a dhcp address so I wasn't
>> sure
>> how to set SocksBindAddress to the eth0 address?  Is there a
>> SocksBindAdapter setting available?
>> My tor.conf:
>> *SocksPort 9150  #privoxy socks5 port*
> 
>> *SocksBindAddress 127.0.0.1*
>> *SocksPolicy accept 127.0.0.1*
>> *SocksPolicy reject **
>> *AllowUnverifiedNodes middle,rendezvous*
>> *Log notice syslog*
>> *RunAsDaemon 1*
>> *User tor*
>> *CircuitBuildTimeout 30*
>> *NumEntryGuards 6*
>> *KeepalivePeriod 60*
>> *NewCircuitPeriod 15*
>> *DataDirectory /var/lib/tor*
>> *PidFile /var/run/tor/tor.pid*
>> *Log notice file /var/log/tor/tor.log*
> 
>> I was thinking I would have to forward eth0:9050 to lo:9050 with these
>> rules:
>> *-A FORWARD -i lo -o eth0 -p tcp --dport 9050  -j ACCEPT*
>> *-A FORWARD -i eth0 -o lo -m state --state ESTABLISHED,RELATED -j
>> ACCEPT*
> 
>> Any advice would be appreciated.
>> Robert
>> --
>> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 
> 

-- 
Jeanneret Internux
Services Informatiques
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk