[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Iptables configuration for a transparent proxy for a singleuser

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Iptables configuration for a transparent proxy for a singleuser
From: Jim McClanahan <jimmymac@xxxxxxxxxx>
Date: Sat, 16 May 2009 22:13:14 -0600
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sun, 17 May 2009 00:13:23 -0400
References: <87skj8464t.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <e646fda30905140023k43d14245y7e091e20532f49ac@xxxxxxxxxxxxxx> <87d4ab2z0y.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <874ovn2xmo.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20090515212641.477721407EDF@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

unknown wrote:
> 
> INET_IFACE=eth0 #our internet interface
> 
> $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9050 -j DROP
> $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9040 -j DROP
> $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 53 -j DROP
> $IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport 53 -j DROP
> # Block incoming traffic for this ports from outside.
> # Tor already ignore non-local connections by default.
> ####
> 
> $IPTABLES -t nat -A OUTPUT -o lo -j RETURN
> $IPTABLES -t nat -A OUTPUT -d 127.0.0.1 -j RETURN
> # Pass direct connection to localhost services.
> # We can trying use privoxy at first before redirecticting unfiltered traffic to Tor.
> ####
> 
> TOR_UID=debian-tor
> #see tor uid in file:
> #tor:x:XXX:YYY::/var/lib/tor)
> 
> $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
> $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user -m tcp --syn  \
> -j REDIRECT --to-ports 9040
> $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user -m udp --dport 53  \
> -j REDIRECT --to-ports 53
> $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
> # Transparent redirection of the traffic to Tor for tornet_user
> ####
> 
> # $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DROP
> # This rule will not working anymore in new iptables.
> ####
> 
> $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DNAT \
> --to-destination 127.0.0.1
> # Use DNAT instead of nat
> # Any traffic from tornet user if not redirected to tor, redirected to localhost.
> # If no services in localhost can accept this traffic than this packets dying quietly in our localhost.
> 
> I test this rules with sniffer and cannot see any DNS leakage and everithing is works fine.
> Any possible vulnerabilities here?

Rather than to just DNATing all un-REDIRECTed traffic of tornet_user to
local host, I wonder whether it would be safer to direct udp & tcp
traffic to a particular port where you explicitly DROP (or REJECT) it. 
Something along the lines of:

DROPDEAD=12345
$IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user \
   -j REDIRECT --to-port $DROPDEAD
$IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user \
   -j REDIRECT --to-port $DROPDEAD
$IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user \
   -j REDIRECT

$IPTABLES -A INPUT -p tcp --dport $DROPDEAD -j DROP
$IPTABLES -A INPUT -p udp --dport $DROPDEAD -j DROP

(BTW, DNATing to localhost for a locally generated packet is the same as
REDIRECT.)

Also, it looks to me like the following rule is not needed, as any
packets that would match have already been RETURNed.

$IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT

Follow-Ups:
- Re: Iptables configuration for a transparent proxy for a singleuser
  - From: unknown

References:
- Iptables configuration for a transparent proxy for a single user
  - From: leandro noferini
- Re: Iptables configuration for a transparent proxy for a single user
  - From: John Brooks
- Re: Iptables configuration for a transparent proxy for a single user
  - From: leandro noferini
- Re: Iptables configuration for a transparent proxy for a single user
  - From: leandro noferini
- Re: Iptables configuration for a transparent proxy for a single user
  - From: unknown

Prev by Author: gettor down?
Next by Author: Re: TOR and HADOPI
Previous by thread: Re: Iptables configuration for a transparent proxy for a single user
Next by thread: Re: Iptables configuration for a transparent proxy for a singleuser
Index(es):
- Author
- Thread