[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] hardening a tor relay

To: "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-relays] hardening a tor relay
From: Contra Band <contra0band@xxxxxxxxx>
Date: Wed, 21 May 2014 17:23:45 -0700 (PDT)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 21 May 2014 20:23:03 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1400718225; bh=4xBovOiCPUudHP5bCXCRslPuBDRJfNv5zcNyGNwxZFA=; h=References:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=hXgnF/IkFdaXexdlQYk++7L/7e4r0LYcmNmvx/xPQ96CYkTfdrF6hzGjDGs2ONDjXCrOAQriH3+pffdthCTlIR5l8n1Efe7pk5d7szxemkXHCIR/pmEcHOTOQ7yLJbXJUyTtPXy6g4/e19IlfK85VxxsAwNbOlk7gMIqEUj9pT0=
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References:
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi all,

I'm impressed by Tor and its contribution to freedom of speech and started to run some tor relays. The first one is https://atlas.torproject.org/#details/DBE3CE33BA8BF1CB98091EE2A72690DF8218C2C3

and I have applied tight iptables to that as below.

Can somebody advise what should be add/remove to make it more efficient to tor network?

=========iptables-rules.sh==========

# Flushing all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#ipv4 udp drop all
iptables -A INPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP 

#ipv6 udp drop all
ip6tables -A INPUT -p udp -j DROP
ip6tables -A OUTPUT -p udp -j DROP 

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow incoming SSH
iptables -A INPUT -p tcp --dport xxx -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport xxx -m state --state ESTABLISHED -j ACCEPT

# Allow incoming 443
iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing 443
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming 9050
iptables -A INPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing 9050
iptables -A OUTPUT -p tcp --dport 9050 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 9050 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming 9051
iptables -A INPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing 9051
iptables -A OUTPUT -p tcp --dport 9051 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 9051 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming 9001
iptables -A INPUT -p tcp --dport 9001 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9001 -m state --state ESTABLISHED -j ACCEPT

# Allow outgoing 9001
iptables -A OUTPUT -p tcp --dport 9001 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 9001 -m state --state ESTABLISHED -j ACCEPT



Thanks


Simon

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] hardening a tor relay
  - From: Moritz Bartl
- Re: [tor-relays] hardening a tor relay
  - From: Paul Staroch

Prev by Author: Re: [tor-relays] How to handle an abuse report
Next by Author: Re: [tor-relays] hardening a tor relay
Previous by thread: [tor-relays] Fwd: [rt.torproject.org #26011] Unknown connections
Next by thread: Re: [tor-relays] hardening a tor relay
Index(es):
- Author
- Thread