[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: IPTables transparent configuration

Thanks for the input Al. I actually got this to work a little bit after posting this. That always seems to be the case :). For the list and anyone else who may want to do this, I'm posting my iptables config here.

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp -s -j DNAT --to-destination
sudo iptables -t nat -A PREROUTING -p icmp -s -j DNAT --to-destination
sudo iptables -t nat -A PREROUTING -p udp -s -j DNAT --to-destination

Now I'm not sure I need all of this. I'm going to revisit it later today to ensure the best rule set, but I have verified that this works 100%. 


On Nov 17, 2010, at 4:31 AM, alpal.mailinglist@xxxxxxxxx wrote:

> Curt,
> I will try and spur some discussion :)
> I'm not also sure that forcing connections to the tor port will work. Take for example an http request... you are now forcing that to a tor port, which wants to talk socks right? I would have thought you would need some sort of transparent http proxy setup which was configured to use tor for its external comms?
> Al
> ----- Reply message -----
> From: "Curt Shaffer" <cshaffer@xxxxxxxxx>
> Date: Tue, Nov 16, 2010 18:19
> Subject: IPTables transparent configuration
> To: <or-talk@xxxxxxxx>
> I have been searching the documentation and Internet for days on this
> setup. Let me give some background first.
> In this network ( I have a couple of clients. Their
> default gateway is This system is a Linux server.
> The Linux server has a LAN IP of and a "WAN" IP of
> This server is also running TOR. The "WAN" IP address of
> this system is actually being NATTED again by a firewall to an
> external IP address.
> I want all traffic on the network to use this Linux
> server as their default gateway. In that gateway, I want IPTables to
> send all of the traffic from that subnet through TOR.
> If use IPTables to NAT the addresses like this:
> eth0=WAN
> eth1=LAN
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -A FORWARD -i eth0 -o eth1 -m state --state
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> General network connectivity works.
> If I introduce TOR with IPTables like this:
> iptables -t nat -A OUTPUT -p tcp -m tcp -j REDIRECT --to-ports 9040
> iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT
> TOR connectivity works from the Linux server, but all of the clients
> on the network no longer work at all. No NAT to the
> general Internet, no TOR, no nothing.
> I'm thinking this may be an IPTables problem, but I wanted to post
> this to this list just to see if anyone else has accomplished such a
> setup. If you have, please let me know what I may be doing wrong. If
> you need more detailed information, please ask.
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
> unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

Attachment: smime.p7s
Description: S/MIME cryptographic signature