[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor/Iptables Question



I've run into a problem. My model is that a user "torify" has all
traffic forwarded to localhost. From there, it should all be dropped
except connections to privoxy (port 8118). It all works up until the
last iptables command. I assume this is blocking all incoming traffic,
including traffic I've initiated, but I could be interpreting it wrong.
I can't connect to any websites, but I can send requests out. Is there
anything obvious I'm missing or a something I should add?

#allow connections to privoxy
iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify
-j ACCEPT
#allow connections to Tor
iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT
#re-route all outbound traffic to localhost
iptables -t nat -A OUTPUT -m owner --uid-owner torify -j DNAT
--to-destination 127.0.0.1
#drop all traffic to localhost from localhost
iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT
#allow Tor to access hidden service, virtual machine
iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT
#disallow all external incoming connections
sudo iptables -A INPUT -p TCP -j DROP

Thanks for any help you all can offer. I know this stuff may seem basic
to a lot of people but it's complicated for me and I'm trying to help
hidden service operators here who know even less than I.

Ringo

Kyle Williams wrote:
> I believe if you just remove --dport, then everything (all ports) are
> assumed.
> 
> On Wed, Aug 19, 2009 at 1:01 PM, Ringo <2600denver@xxxxxxxxx> wrote:
> 
>> "I prevent all users other than root from connecting to the Tor Control
>> port with an
>>> iptables rule which looks like this:
>>>
>>> iptables -A OUTPUT -o lo -p tcp --dport 9051 -m owner ! --uid-owner
>> root -j REJECT"
>>
>> Thanks! That should work perfectly. Is there any way to make dport a
>> wildcard?
>>
>> Ringo
>>
>