I was looking to send all traffic through Tor. The UDP rule was taken off of the Tor Transparent Configuration documentation. I have Tor DNSPorts and DNSListenAddress set. I realize this was for DNS requests, but I was kinda hoping to pipe everything through. I will look at just dropping all other traffic. Thanks for sharing your link to your example config as well! Curt On Nov 17, 2010, at 12:37 PM, intrigeri wrote: > Hi, > > Curt Shaffer wrote (17 Nov 2010 12:53:27 GMT) : >> sudo iptables -t nat -A PREROUTING -p tcp -s 172.16.10.0/24 -j DNAT --to-destination >> 10.0.0.23:9040 >> sudo iptables -t nat -A PREROUTING -p icmp -s 172.16.10.0/24 -j DNAT --to-destination >> 10.0.0.23:9040 >> sudo iptables -t nat -A PREROUTING -p udp -s 172.16.10.0/24 -j DNAT --to-destination >> 10.0.0.23:53 > > Tor is able to transport TCP only. > If you really want these LAN boxes to *only* access the Internet over > Tor, you have to forbid them anything other than TCP. > > If I am not mistaken, the rules you are showing us allow any UDP > traffic to go out (without Tor) unless its destination port is !=53. > I'm not sure this is really what you want to achieve. > > Feel free to have a look to the firewall we use in T(A)ILS as a source > of inspiration: > > http://git.immerda.ch/?p=amnesia.git;a=blob;f=config/chroot_local-includes/etc/firewall.conf > http://git.immerda.ch/?p=amnesia.git;a=blob;f=config/chroot_local-includes/etc/firewall6.conf > > Bye, > -- > intrigeri <intrigeri@xxxxxxxx> > | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc > | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc > | Every now and then I get a little bit restless > | and I dream of something wild. > *********************************************************************** > To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with > unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
Attachment:
smime.p7s
Description: S/MIME cryptographic signature