[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and iptables.

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor and iptables.
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Thu, 15 Dec 2016 05:10:11 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 15 Dec 2016 07:10:31 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1481803816; bh=ANUNBWkVKIgEIIkAKW39Lerjn58ltj2YSq6fSe+X2jQ=; h=Subject:To:References:From:Date:In-Reply-To:From; b=pEvMak5pMVHJUKeK/XM5BI9lBYfAKRNVJYnK1QsXGtQXlEDneh3GOqiBD/bi2ytIy z4qYG1g9UE9wSLkYidyb93czCRxPQWVqda8h21chHvA6AQaQmF0FJOnpJxZdteaprM nyk6R+EZ4p8CJY6LtIlujwipraKksBZJtzgHYTYQ=
In-reply-to: <234801739.1125380.1481538917020@mail.yahoo.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <2087095161.313118.1481379364507.ref@mail.yahoo.com> <2087095161.313118.1481379364507@mail.yahoo.com> <e2c42d58-89ba-82db-0393-2bc8672db36a@riseup.net> <20161212064407.GA29613@parckwart.de> <06ffb88d-eded-baee-37d2-ade0b9d32c42@riseup.net> <20161212081413.GA2293@parckwart.de> <bf873687-7163-bd35-e04b-6673d6d2a3f5@riseup.net> <20161212092415.GA2789@parckwart.de> <234801739.1125380.1481538917020@mail.yahoo.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 12/12/2016 03:35 AM, Jason Long wrote:
> can anyone edit my rules and tell me what is my problem? 

You asked "What is my problem? Why I can't use "obfs4" ?"

The problem, I think, is that you reject everything ...

-A OUTPUT -j REJECT --reject-with icmp-port-unreachable

... before allowing Tor traffic. So Tor can't connect.

Unless you run Tor as a specific user, there's no elegant way to
restrict output. You could have a rule allowing output to directory
servers and your bridges. Beyond authorities, I'm not sure how many
directory servers you'd need. Maybe some kind person can provide a
minimal list of directory server IPs.

Also, there's no need to allow any input, except loopback and
related/established. Because Tor is handling everything. So with Tor
running as user, just use this:

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

COMMIT

If you want to add output rules for Tor servers, and block all other
output (which is good to prevent leaks):

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d w.x.y.z -j ACCEPT #repeat for all needed servers
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP

COMMIT

And if you run Tor with a special user with uid foo:

*filter

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A FORWARD -j DROP

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m owner --uid-owner foo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP

COMMIT

>     On Monday, December 12, 2016 1:23 AM, Jonathan Marquardt <mail@xxxxxxxxxxxx> wrote:
>  
> 
>  On Mon, Dec 12, 2016 at 01:52:22AM -0700, Mirimir wrote:
>> Sorry about missing the typo in my initial reply. It _was_ an invalid
>> rule. But accepting lo is necessary with default deny, right?
> 
> Yes, sorry, you're right. My bad.
> 
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Tor and iptables.
  - From: Jason Long
- Re: [tor-talk] Tor and iptables.
  - From: Mirimir
- Re: [tor-talk] Tor and iptables.
  - From: Jonathan Marquardt
- Re: [tor-talk] Tor and iptables.
  - From: Mirimir
- Re: [tor-talk] Tor and iptables.
  - From: Jonathan Marquardt
- Re: [tor-talk] Tor and iptables.
  - From: Mirimir
- Re: [tor-talk] Tor and iptables.
  - From: Jonathan Marquardt
- Re: [tor-talk] Tor and iptables.
  - From: Jason Long

Prev by Author: Re: [tor-talk] Not comfortable with the new single-hop system merged into Tor
Next by Author: Re: [tor-talk] Mirai Botnet Relocates To Onions
Previous by thread: Re: [tor-talk] Tor and iptables.
Next by thread: Re: [tor-talk] Tor and iptables.
Index(es):
- Author
- Thread