[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and iptables.

To: "tor-talk@xxxxxxxxxxxxxxxxxxxx" <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] Tor and iptables.
From: Jason Long <hack3rcon@xxxxxxxxx>
Date: Sun, 11 Dec 2016 12:26:47 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 11 Dec 2016 07:37:53 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1481459208; bh=5KxlLD9Jia3xdD/TiJCLR+h/Wyjd0DzZHcVXkj+7Tgw=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=pKvWpjDR+yPorC7L1+/w2AvcYt6w3/6iSh18dPhdC+5ngCnkvisjJMLhEw65sjhVkymfDaYEkIpldYyWR4g/eeODTmr50MXECrnz8f/uKpMHOOi6NFeVHQE9eHdvBxfdw7nErY+P8n1Z1Jgv095EfaqhSHmJrJwfe/nF+X3OEs/iT/8k6eT32PrIM95K3QgTLbLlpqkdJg8neHVNLwxzGcxehmTGzyNJMnomZp5Gw8RRZJMnWAJx2YMGByXc9TZLoVug3mkKO9i1nh2OWANz4Clno6s2w8kiJjt6Kx/r2Xfw1uQzz1+bixHsO18lE/MB3zinu/M+E8nmlHx6vksS8Q==
In-reply-to: <20161211104411.GA25159@parckwart.de>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <2087095161.313118.1481379364507.ref@mail.yahoo.com> <2087095161.313118.1481379364507@mail.yahoo.com> <282001899.330511.1481379478047@mail.yahoo.com> <20161211104411.GA25159@parckwart.de>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Excuse me, I must allow input to my system? It is so bad :(, I don't like to allow everyone.



On Sunday, December 11, 2016 2:44 AM, Jonathan Marquardt <mail@xxxxxxxxxxxx> wrote:
You always need to allow some input as well in order for the Tor guard node to 
talk to your computer. Stateful Inspection is used for this. Here's a complete 
ruleset to accomplish what you asked for. All output is allowed, but no input, 
except it belongs to some output your computer previously did.

# Stateful inspection for input and output
iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -A OUTPUT -j ACCEPT -m state --state RELATED,ESTABLISHED

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Reject any other input
iptables -A INPUT -j REJECT

# Accept all output
iptables -A OUTPUT -j ACCEPT

Note that you also want to accout for IPv6 using ip6tables. It depends on your 
network though.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Tor and iptables.
  - From: Jonathan Marquardt

References:
- [tor-talk] Tor and iptables.
  - From: Jason Long
- Re: [tor-talk] Tor and iptables.
  - From: Jason Long
- Re: [tor-talk] Tor and iptables.
  - From: Jonathan Marquardt

Prev by Author: Re: [tor-talk] Tor and iptables.
Next by Author: [tor-talk] Tor and iptables.
Previous by thread: Re: [tor-talk] Tor and iptables.
Next by thread: Re: [tor-talk] Tor and iptables.
Index(es):
- Author
- Thread