Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
pls verify tor iptables script
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Treborius
Guru
Guru


Joined: 18 Oct 2005
Posts: 582
Location: Berlin

PostPosted: Sun Jan 03, 2016 11:35 pm    Post subject: pls verify tor iptables script Reply with quote

hi guys, i am a bit worried about errors in this iptables script
( its an adaption, taken from here https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy )

can someone with more knowledge pls take a look, and point finger at obvious errors?

what it is for :
i want no single paket to escape this box without beeing routed through tor,
all traffic should go through the transparent proxy, tor ships

except
- the external access via sshd on port 8888 (ssh from within is not needed)
- access to my home networks 192.168.178.0/24 and 192.168.115.0/24

Code:

#!/bin/sh
# allow all established
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

_ssh_port="8888"
# allow ssh new
iptables -I OUTPUT -m state -p tcp --dport $_ssh_port --state NEW -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport $_ssh_port -j RETURN

#destinations you don't want routed through Tor
_non_tor="192.168.178.0/24 192.168.115.0/24"
#the UID that Tor runs as
_tor_uid="101"
#Tor's transparent proxy port
_trans_port="9090"
#Tor's dns server port
_dns_port="9053"

### set iptables tor-nat
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $_dns_port
#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
done
#redirect all other output to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/8; do
   iptables -A OUTPUT -d $_clearnet -j ACCEPT
done
#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT

# reject everything else
iptables -A OUTPUT -j REJECT


is there anything / any tools i can use for testing?
the script is working so far, i can access the internet via tor.
I am only worried, that some evil apps may bypass the transparent proxy.

Thanks for your help,
Treb
_________________
Systems running gentoo :
Desktop, Laptop, ZOTAC AD-10 media-center, odroid-xu4 server / wLan-router
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Mon Jan 04, 2016 1:54 am    Post subject: Reply with quote

Your first problem is that this is a shell script with no error checking. If any step fails, others will still execute, which could leave you with a partially configured system.

Your NEW OUTPUT rule should be unnecessary, since the sshd will be responding to an ESTABLISHED connection.

Your kernel might not have support for REJECT, in which case loading the deny rule would not work. I prefer to use the policy for a catch-all instead of adding a final rule as the catch-all.

Why do you have special entries for 127.0.0.0/9 127.128.0.0/10?

You can use tcpdump to monitor your normal interface to check whether traffic is being sent through non-Tor applications.
Back to top
View user's profile Send private message
Treborius
Guru
Guru


Joined: 18 Oct 2005
Posts: 582
Location: Berlin

PostPosted: Mon Jan 04, 2016 7:14 am    Post subject: Reply with quote

Hu wrote:
Your first problem is that this is a shell script with no error checking. If any step fails, others will still execute, which could leave you with a partially configured system.

i only run this script once, and then use /etc/init.d/iptables save

Hu wrote:

Your NEW OUTPUT rule should be unnecessary, since the sshd will be responding to an ESTABLISHED connection.

your absolutely right, i removed the line

Hu wrote:

Why do you have special entries for 127.0.0.0/9 127.128.0.0/10?

mindless copy-paste, without them, dns resolution over tors build-in dns server does not work

Hu wrote:

You can use tcpdump to monitor your normal interface to check whether traffic is being sent through non-Tor applications.


I tried that, but tcpdump does not display the PID of the packets ( i think the information is lost at the point tcpdump captures its data )
and as tor is opening connections from various ports to various computers on various ports, the output was not helpful at all
( it seems ok at the first look )

thanks for your advice
_________________
Systems running gentoo :
Desktop, Laptop, ZOTAC AD-10 media-center, odroid-xu4 server / wLan-router
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 554
Location: France

PostPosted: Mon Jan 04, 2016 11:38 am    Post subject: Reply with quote

Be sure the tables are emptied at the beginning of your rules set. I'm not sure it's done by iptables-save (I don't use it, I use my own iptables init script), and you may have unexpected behaviours, if you launch your script, or restart the iptables service, several times in a row.

Code:
#!/bin/sh

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

(your stuff here)


Quote:
I tried that, but tcpdump does not display the PID of the packets ( i think the information is lost at the point tcpdump captures its data )
and as tor is opening connections from various ports to various computers on various ports, the output was not helpful at all
( it seems ok at the first look )

You can try to mix "tcpdump" output with "netstat -anlp" one.

You can also (and I think you should) add LOG rules to determine which filter rules are applied to which packets. Be careful, that could be _very_ verbose.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum