On Sun, 2011-02-13 at 15:41 +0100, tagnaq wrote: > On 02/13/2011 03:20 PM, Tomasz Moskal wrote: > > Do I have to use AutomapHostsOnResolve 1 as well? Seems to be pointless > > without defining AutomapHostsSuffixes. > > No it is not pointless because also if you do not use > AutomapHostsSuffixes in your config ".exit" and ".onion" are > AutomapHostsSuffixes per default. > > > One more question: will those rules route all UDP traffic to port 53 or > > just DNS requests? What will happen with UDP not relating to DNS? > > The UDP rules in the LocalRedirectionThroughTor section: > https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy#LocalRedirectionThroughTor > > redirect only UDP packets with destination port 53 (usually DNS > requests) to the DNSPort. All other outgoing UDP traffic is > blocked/rejected with the last rule: > iptables -A OUTPUT -j REJECT > > The penultimate rule: > iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT > would allow a program running with the $TOR_UID to send UDP traffic. > > I will suggest to add -p tcp to that rule. > > > *********************************************************************** > To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with > unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ OK, so to wrap it all up last (hopefully!) couple of questions... iptables script/rules set: #!/bin/sh # the UID Tor runs as TOR_UID="109" iptables -F iptables -t nat -F # Redirects DNS traffic to the local port 53 iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 # Allow a program running with the $TOR_UID to send UDP traffic iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT # Block/reject all outgoing UDP traffic iptables -A OUTPUT -j REJECT And for the questions: On my machine Tor seems to have different UID after each restart (at least this is what "ps -A | grep -w tor" tells me). How I can force it to use always the same UID? According to this thread <http://ubuntuforums.org/showthread.php?t=800066a> I can't change it when Tor is already running so my guess is I should force it to use chosen UID before it will even start. I couldn't find (man iptables) nothing about "-m owner" - should I replace owner with my login or it is to match Tor through --uid-owner $TOR_UID? Will the last rule, blacking all outgoing UDP traffic, means that applications which depends on it won't work? I'm running Wireshark now and by filtering it to show just UDP traffic I can see (among other confusing things) that Dropbox is using UDP for "Dropbox LAN sync Discovery Protocol". Am I correct in thinking that implementing the rule in question means that Dropbox (and other UDP-dependant applications) will stop working or have "crippled" functionality? I probably should mention that I'm running Dropbox by "usewithtor" and my torrc contain those two rules: SocksPort 9050 SocksListenAddress 127.0.0.1 -- Tomasz Moskal <ramshackle.industries@xxxxxxxxx> Encrypted mail preferred. Key ID: 2C323C82
Attachment:
signature.asc
Description: This is a digitally signed message part