[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Torlock - a simple script to prevent outgoing packets from bypassing Tor.
This may be interesting for you as well:
this is, what iptables-save produces on an Amnesia system:
# Generated by iptables-save v1.4.2 on Mon Mar 1 18:22:07 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [133:8080]
:OUTPUT ACCEPT [134:8341]
-A OUTPUT -d 192.168.0.0/16 -j RETURN
-A OUTPUT -d 10.0.0.0/8 -j RETURN
-A OUTPUT -d 172.16.0.0/12 -j RETURN
-A OUTPUT -d 127.0.0.0/9 -j RETURN
-A OUTPUT -d 127.128.0.0/10 -j RETURN
-A OUTPUT -m owner --uid-owner debian-tor -j RETURN
-A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 123 -j
RETURN
-A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 123 -j
RETURN
-A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 53 -j
RETURN
-A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 53 -j
RETURN
-A OUTPUT -d 127.192.0.0/10 -p tcp -m tcp -j DNAT --to-destination
127.0.0.1:9040
-A OUTPUT -o ! lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT
--to-destination 127.0.0.1:9040
COMMIT
# Completed on Mon Mar 1 18:22:07 2010
# Generated by iptables-save v1.4.2 on Mon Mar 1 18:22:07 2010
*filter
:INPUT ACCEPT [15615:7102432]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -j ACCEPT
-A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
-A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 123 -j
ACCEPT
-A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 123 -j
ACCEPT
-A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 53 -j
ACCEPT
-A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 53 -j
ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon Mar 1 18:22:07 2010
They allow ntp connections since Tor really likes an accurate date/time.
They also do some .onion related stuff that I dont get (this might be
the 172.16.0.0/12?)
I dont know much about iptables and Linux in general, but maybe this
helps.
M.K.
Am Montag, den 01.03.2010, 15:04 +0000 schrieb Irratar:
> Hello.
>
> I have created a simple Bash script to prevent any data from bypassing Tor
> when Tor is running. I started it to use just for myself, but now I think
> it will be better to share it with other users of Tor.
>
> This script, named Torlock, does the following things when used to start Tor:
> - Creates a special user named torlock by default (if you run it first time
> or have removed that user after previous Tor session).
> - Uses Iptables to block network access for everyone except for torlock.
> - Setuids to torlock and starts Tor. Tor will be started in background mode,
> and its output redirected to a file.
>
> When used to stop Tor, it stops Tor, unlocks network access, and (optionally)
> removes torlock user.
>
> More information is in included text file. Even more can be obtained by reading
> the script. It is small, simple, and easy to make sure it's not
> backdoored. The script can be downloaded from Sourceforge:
> http://sourceforge.net/projects/torlock/files/
>
> Inspite of its simplicity, Torlock saved me at least twice when I forgot to
> switch Torbutton on.
>
> With best regards,
> Irratar.
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
> unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/