On Saturday 17 May 2014 16:59:23 Clare â wrote: > I'm setting up a Tor-based isolating proxy using the 'Anonymizing > Middlebox' iptables rules specified here: > https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy i.e. > iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT > --to-ports 53iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j > REDIRECT --to-ports 9040 ...and the INPUT, OUTPUT and FORWARD chains are > left at the default. Would there be any merit to also including the > following rules? iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P > OUTPUT DROP iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state > --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j > ACCEPTiptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Or > are they rendered unnecessary by my current setup? > Are there any other firewall rules that I should consider in order to > improve security and ensure that all traffic is torified? Many thanks. https://bitbucket.org/ra_/tor- gateway/src/367fedb41377570b6b414940a8788bd692931cd4/overlay/etc/iptables.conf?at=master might help you. It has been suggest recently, to additionally block rules: iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP HTH, Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk