You are not logged in.
I'm new to iptables, but I've been learning about it recently as part of my ongoing attempts at security. I managed to set up iptables so that it forwards all traffic originating with my user, including DNS, through tor. Here are my iptables rules:
# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*nat
:PREROUTING ACCEPT [12:3420]
:INPUT ACCEPT [1:261]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p tcp -m owner --uid-owner 1000 -m tcp -j REDIRECT --to-ports 9040
-A OUTPUT -p udp -m owner --uid-owner 1000 -m udp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Fri Oct 12 16:33:33 2012
# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*filter
:INPUT ACCEPT [9:1175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:488]
-A OUTPUT -p tcp -m owner --uid-owner 1000 -m tcp --dport 9040 -j ACCEPT
-A OUTPUT -p udp -m owner --uid-owner 1000 -m udp --dport 53 -j ACCEPT
-A OUTPUT -m owner --uid-owner 1000 -j DROP
COMMIT
# Completed on Fri Oct 12 16:33:33 2012My question is twofold: 1) how can I set up iptables to forward all traffic, originating with any user on my machine, through tor (with tor being used for both outbound and inbound connections) and 2) how can I close off all ports and allow just the ones used for tor and torDNS? I've been over the logic a dozen times and tried a hundred combinations of rules, but I can't seem to make it work.
Offline
Second prblem: I need to keep the above rules, excepting bittorent and 127.0.0.1:6600. How do I do this?
Offline
FWIW, this is what i use to acheive similar:
iptables -t nat -A OUTPUT -m owner --uid-owner mytoruser -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A OUTPUT -m owner --uid-owner mytoruser -p tcp -j REDIRECT --to-ports 8118
iptables -A OUTPUT -m owner --uid-owner mytoruser -p tcp -d 127.0.0.1 --dport 8118 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner mytoruser -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner mytoruser -j REJECTSlightly different setup to what you want to acheive (these rules are for one specific user I use to run a tor-only browser, and port 8118 is for privoxy rather than tor itself), but should be easily adapted for your needs.
Last edited by b4data (2012-11-04 13:41:01)
Offline
thank you. one other question: I need to allow localhost connections to port 6600 and bittorrent to bypass tor. I can't use MPD or Bittorrent through tor, so how can I except those ports from the forwarding process?
EDIT:
I believe I've fixed it. I placed the ACCEPT line for port 6600 from localhost before the redirect rules. Here is my revised code for allowing MPD client connections, and it works. I'm assuming the same thing can be applied to bittorrent.
# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*nat
:PREROUTING ACCEPT [12:3420]
:INPUT ACCEPT [1:261]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p tcp -s 127.0.0.1 --dport 6600 -j ACCEPT #allows MPD clients to connect to daemon
-A OUTPUT -p tcp -m owner --uid-owner 1000 -m tcp -j REDIRECT --to-ports 9040
-A OUTPUT -p udp -m owner --uid-owner 1000 -m udp --dport 53 -j REDIRECT --to-ports 53
COMMIT
# Completed on Fri Oct 12 16:33:33 2012
# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*filter
:INPUT ACCEPT [9:1175]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8:488]
-A OUTPUT -p tcp -m owner --uid-owner 1000 -m tcp --dport 9040 -j ACCEPT
-A OUTPUT -p udp -m owner --uid-owner 1000 -m udp --dport 53 -j ACCEPT
#-A OUTPUT -m owner --uid-owner 1000 -j DROP
COMMIT
# Completed on Fri Oct 12 16:33:33 2012One last question: is this setup secure? that is, are all ports except 9040, 6600, and 53 closed in both directions? it doesn't look like it to me, but I'm rather ignorant of iptables usage.
Last edited by ParanoidAndroid (2012-11-04 18:58:46)
Offline