[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Iptables configuration for a transparent proxy for a singleuser

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Iptables configuration for a transparent proxy for a singleuser
From: unknown <unknown@xxxxxxxxx>
Date: Sun, 17 May 2009 19:56:51 +0000
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sun, 17 May 2009 15:58:25 -0400
In-reply-to: <4A0F8ED9.FD5BE2EB@xxxxxxxxxx>
Organization: PGPru.com
References: <87skj8464t.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <e646fda30905140023k43d14245y7e091e20532f49ac@xxxxxxxxxxxxxx> <87d4ab2z0y.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <874ovn2xmo.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20090515212641.477721407EDF@xxxxxxxxxxxxxx> <4A0F8ED9.FD5BE2EB@xxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On Sat, 16 May 2009 22:13:14 -0600
Jim McClanahan <jimmymac@xxxxxxxxxx> wrote:


> Rather than to just DNATing all un-REDIRECTed traffic of tornet_user to
> local host, I wonder whether it would be safer to direct udp & tcp
> traffic to a particular port where you explicitly DROP (or REJECT) it. 

Yes, I think it will be a better solution.

> Something along the lines of:
> 
> DROPDEAD=12345
> $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user \
>    -j REDIRECT --to-port $DROPDEAD
> $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user \
>    -j REDIRECT --to-port $DROPDEAD
> $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user \
>    -j REDIRECT
> 
> $IPTABLES -A INPUT -p tcp --dport $DROPDEAD -j DROP
> $IPTABLES -A INPUT -p udp --dport $DROPDEAD -j DROP
> 
> (BTW, DNATing to localhost for a locally generated packet is the same as
> REDIRECT.)
 
> Also, it looks to me like the following rule is not needed, as any
> packets that would match have already been RETURNed.
> $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT

I use privoxy as first choice for traffic and without this rule something working wrong.

References:
- Iptables configuration for a transparent proxy for a single user
  - From: leandro noferini
- Re: Iptables configuration for a transparent proxy for a single user
  - From: John Brooks
- Re: Iptables configuration for a transparent proxy for a single user
  - From: leandro noferini
- Re: Iptables configuration for a transparent proxy for a single user
  - From: leandro noferini
- Re: Iptables configuration for a transparent proxy for a single user
  - From: unknown
- Re: Iptables configuration for a transparent proxy for a singleuser
  - From: Jim McClanahan

Prev by Author: Re: Iptables configuration for a transparent proxy for a single user
Next by Author: Re: Increasing Polipo Portability for GSoC 2009
Previous by thread: Re: Iptables configuration for a transparent proxy for a singleuser
Next by thread: Re: Iptables configuration for a transparent proxy for a single user
Index(es):
- Author
- Thread