[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] system-wide tor successful



One tweaking can be done to exclude the domain based smtp and pop3 based traffic.
say smtp.gmail.com at port 993 etc... to allow direct smtp and pop at gmail.com


On Fri, 28 Sep 2012 18:10:09 +0530
Raviji <raviji157@xxxxxxxxx> wrote:

> Hello,
> 
> I like to share with you all that my system-wide tor is successful.
> I am not confident about the benefit of polipo/privoxy ; pdnsd, ttdnsd.
> I just use tor and its DNSPort (port 53)  without any caching DNS server as well as proxy.
> 
> At /etc/resolv.conf set name server to 127.0.0.1
> 
> I have configured iptables to route all traffic through tor except lo and lan.
> But the lan packets are still dropped. I'm trying to fix it.
> Any modification is very much welcome. What tools can be used to test the system
> against DNS leak etc.. ? Your ideas are welcome.
> 
> 
> iptables -F
> iptables -X
> iptables -Z
> iptables -t nat -Z 2>/dev/null
> iptables -t mangle -Z
> iptables -t nat -F
> iptables -t mangle -F
> 
>     iptables -P INPUT DROP
>     iptables -P FORWARD DROP
>     iptables -P OUTPUT DROP
> 
>     # Established incoming connections are accepted.
>     iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
>     # Traffic on the loopback interface is accepted.
>     iptables -A INPUT -i lo -j ACCEPT
> 
>     #accept icmp
>     iptables -A OUTPUT -j ACCEPT -p icmp
> 
>     # Established outgoing connections are accepted.
>     iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
>     # Internal network connections are accepted.
>     iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
> 
>     # Local network connections should not go through Tor but DNS shall be
>     # rejected.
>     iptables -N lan
>     iptables -A lan -p TCP --dport domain -j REJECT
>     iptables -A lan -p UDP --dport domain -j REJECT
>     iptables -A lan -j ACCEPT
> 
>     # Sort out traffic to local network
>     # Note that we exclude the VirtualAddrNetwork used for .onion:s here.
>     iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
>     iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
>     iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan
> 
> 
> iptables -t nat -A OUTPUT ! -o lo -p tcp  -m tcp -j REDIRECT --to-ports 9040
> iptables -t nat -A OUTPUT -p udp --dport 53 -m state --state NEW -j REDIRECT --to-ports 53
> iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT
> iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
> 
> 
> 
>     # Everything else is dropped.
>     iptables -t filter -A OUTPUT ! -o lan -j DROP
>     iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
> 
>     # log incomming connection attempts
>     iptables -A INPUT -p tcp -m tcp -m state --state NEW -j LOG --log-prefix "input(tcp) " -m limit --limit 1/minute
>     iptables -A INPUT ! -p tcp -j LOG --log-prefix "input(all) " -m limit --limit 1/minute
> 
>     # some kernel enhancement
> 
>     # ; ignore broadcast
>     echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
> 
>     # ; disable forwarding
>     echo 0 > /proc/sys/net/ipv4/ip_forward
> 
>     # ; enable tcp syn cookie protection
>     echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>  
>     # ; ignore buggus icmp responses
>     echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> 
>     # ; ignore all icmp
>     echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 
> 
>     # ; ip spoofing protection
>     for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>       echo 1 > $f
>     done
> 
>     # Don't accept or send ICMP redirects.
>     for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
>     for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
> 
>     # Disable Source Routed Packets
>     for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
>       echo 0 > $f
>     done 
> 
>     # ; Log martian
>     for f in /proc/sys/net/ipv4/conf/*/log_martians; do
>       echo 1 > $f
>     done
> 
>     # Disable proxy_arp.
>     for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
> 
>     # Reduce number of possible SYN Floods
>     echo "512" >/proc/sys/net/ipv4/tcp_max_syn_backlog
> 

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk