[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Tor and iptables.
On 12/11/2016 11:44 PM, Jonathan Marquardt wrote:
> On Sun, Dec 11, 2016 at 11:33:23PM -0700, Mirimir wrote:
>> On 12/10/2016 07:16 AM, Jason Long wrote:
>>> Hello.
>>> I like to close all INPUT connections via iptables but I like to use TorBrowser, Then Which port(s) must be open?
>>>
>>> -A OUTPUT -p tcp -m tcp --dport 9151 -j ACCEPT
>>>
>>>
>>> Is it enough? How about "INPUT"? Must I open any input port too?
>>>
>>> Thank you.
>>
>> You only need to allow input and output for the tor process. And input
>> for SSH, if you need that. Plus related/established, of course.
>>
>> In Debian, run "id -u debian-tor". Then use that number (typically 108)
>> in an output rule. Tor input is allowed by related/established.
>>
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A INPUT -j DROP
>>
>> -A OUTPUT -i lo -j ACCEPT
>> -A OUTPUT -m owner --uid-owner 108 -j ACCEPT
>> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A OUTPUT -j DROP
>>
>> --
>> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> OP is running Tor Browser, not the typical Debian Tor setup. So "id -u
> debian-tor" won't work. I assume that he's running Tor Browser as his normal
> user.
Oops. Sorry. I'm used to straight Tor and Whonix. So how does one lock
down Tor using Tor browser?
> Also: "-A OUTPUT -i lo -j ACCEPT" is neither a valid rule, nor is it
> necessary, since loopback traffic is already allowed at input and stateful
> inspection is enabled both ways.
Not valid? It works for me. And by default, I drop all input, output and
forward.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk