On 2013-10-13 06:42, Tor Operator wrote: > My current iptables looks like this: > > # Generated by iptables-save v1.4.7 on Sat Oct 12 13:52:47 2013 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > -A OUTPUT -j ACCEPT > COMMIT What are the real listening ports of Tor? > I tried adding the following rules without success: > > iptables -t nat -A PREROUTING -p tcp -i eth0 âdport 80 -j REDIRECT âto-ports 10091 > iptables -t nat -A PREROUTING -p tcp -i eth0 âdport 443 -j REDIRECT âto-ports 10090 These rules look ok, but if you use ports 10090/10091 you have to enable them too (not 9001/9030 like above): iptables -A INPUT -p tcp -m tcp --dport 10090 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 10091 -j ACCEPT Verify that Tor ist listening on the desired port: 'netstat -plnt|grep tor' Check your 'torrc' for the following lines: ORPort 443 ORListenAddress 0.0.0.0:10090 DirPort 80 DirListenAddress 0.0.0.0:10091 And - like elrippo said: the iptables policy shout be 'DROP': iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP Check it out: 'iptables -L -nv'.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays