| View previous topic :: View next topic |
| Author |
Message |
Treborius
Guru
Joined: 18 Oct 2005
Posts: 585
Location: Berlin
|
 Posted: Sun Jan 03, 2016 11:35 pm Post subject: pls verify tor iptables script |
 |
|
hi guys, i am a bit worried about errors in this iptables script
( its an adaption, taken from here https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy )
can someone with more knowledge pls take a look, and point finger at obvious errors?
what it is for :
i want no single paket to escape this box without beeing routed through tor,
all traffic should go through the transparent proxy, tor ships
except
- the external access via sshd on port 8888 (ssh from within is not needed)
- access to my home networks 192.168.178.0/24 and 192.168.115.0/24
| Code: |
#!/bin/sh
# allow all established
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
_ssh_port="8888"
# allow ssh new
iptables -I OUTPUT -m state -p tcp --dport $_ssh_port --state NEW -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport $_ssh_port -j RETURN
#destinations you don't want routed through Tor
_non_tor="192.168.178.0/24 192.168.115.0/24"
#the UID that Tor runs as
_tor_uid="101"
#Tor's transparent proxy port
_trans_port="9090"
#Tor's dns server port
_dns_port="9053"
### set iptables tor-nat
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $_dns_port
#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
done
#redirect all other output to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/8; do
iptables -A OUTPUT -d $_clearnet -j ACCEPT
done
#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
# reject everything else
iptables -A OUTPUT -j REJECT
|
is there anything / any tools i can use for testing?
the script is working so far, i can access the internet via tor.
I am only worried, that some evil apps may bypass the transparent proxy.
Thanks for your help,
Treb
_________________
Systems running gentoo :
Desktop, Laptop, ZOTAC AD-10 media-center, odroid-xu4 server / wLan-router |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21593
|
| Posted: Mon Jan 04, 2016 1:54 am Post subject: |
|
|
Your first problem is that this is a shell script with no error checking. If any step fails, others will still execute, which could leave you with a partially configured system.
Your NEW OUTPUT rule should be unnecessary, since the sshd will be responding to an ESTABLISHED connection.
Your kernel might not have support for REJECT, in which case loading the deny rule would not work. I prefer to use the policy for a catch-all instead of adding a final rule as the catch-all.
Why do you have special entries for 127.0.0.0/9 127.128.0.0/10?
You can use tcpdump to monitor your normal interface to check whether traffic is being sent through non-Tor applications. |
|
| Back to top |
|
|
Treborius
Guru
Joined: 18 Oct 2005
Posts: 585
Location: Berlin
|
| Posted: Mon Jan 04, 2016 7:14 am Post subject: |
|
|
| Hu wrote: | Your first problem is that this is a shell script with no error checking. If any step fails, others will still execute, which could leave you with a partially configured system.
|
i only run this script once, and then use /etc/init.d/iptables save
| Hu wrote: |
Your NEW OUTPUT rule should be unnecessary, since the sshd will be responding to an ESTABLISHED connection.
|
your absolutely right, i removed the line
| Hu wrote: |
Why do you have special entries for 127.0.0.0/9 127.128.0.0/10?
|
mindless copy-paste, without them, dns resolution over tors build-in dns server does not work
| Hu wrote: |
You can use tcpdump to monitor your normal interface to check whether traffic is being sent through non-Tor applications.
|
I tried that, but tcpdump does not display the PID of the packets ( i think the information is lost at the point tcpdump captures its data )
and as tor is opening connections from various ports to various computers on various ports, the output was not helpful at all
( it seems ok at the first look )
thanks for your advice
_________________
Systems running gentoo :
Desktop, Laptop, ZOTAC AD-10 media-center, odroid-xu4 server / wLan-router |
|
| Back to top |
|
|
Syl20
l33t
Joined: 04 Aug 2005
Posts: 619
Location: France
|
| Posted: Mon Jan 04, 2016 11:38 am Post subject: |
|
|
Be sure the tables are emptied at the beginning of your rules set. I'm not sure it's done by iptables-save (I don't use it, I use my own iptables init script), and you may have unexpected behaviours, if you launch your script, or restart the iptables service, several times in a row.
| Code: | #!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
(your stuff here) |
| Quote: | I tried that, but tcpdump does not display the PID of the packets ( i think the information is lost at the point tcpdump captures its data )
and as tor is opening connections from various ports to various computers on various ports, the output was not helpful at all
( it seems ok at the first look ) |
You can try to mix "tcpdump" output with "netstat -anlp" one.
You can also (and I think you should) add LOG rules to determine which filter rules are applied to which packets. Be careful, that could be _very_ verbose. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
