iptables, tor and polipo chain not working, please help. [SOLVED]

ParanoidAndroid · 2012-12-29 05:52:23

I've spent the last month banging my head against a wall (or more accurately, against my firewall) trying to set up the following chain of events:

user > polipo > tor

where iptables routes all TCP traffic through polipo and on to tor and all udp traffic bound for port 53 is routed through tor's DNSport. I have verified that polipo > tor works by pointing my browser directly at polipo and that DNS queries seem to be working properly with my existing iptables setup, but I can't get iptables to route TCP traffic properly through polipo. My goal is to route all TCP traffic through polipo+tor, all DNS queries through tor (through DNSport), and drop/block all other inputs and outputs aside from loopback and a few select ports (i.e. cups web interface). after searching the 'net for the past year, this is the messy, half-understood iptables config i've come up with:

# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*nat
:PREROUTING ACCEPT [12:3420]
:INPUT ACCEPT [1:261]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p tcp -s 127.0.0.1 --dport 631 -j ACCEPT
-A OUTPUT -p tcp -m owner --uid-owner 1000 -m tcp -j REDIRECT --to-ports 8123
-A OUTPUT -p udp -m owner --uid-owner 1000  -m udp --dport 53 -j REDIRECT --to-po$
COMMIT
# Completed on Fri Oct 12 16:33:33 2012
# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*filter
:INPUT ACCEPT [9:1175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:488] 
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p tcp -m owner --uid-owner 1000 -m tcp --dport 8123 -j ACCEPT
-A OUTPUT -p udp -m owner --uid-owner 1000 -m udp --dport 9053 -j ACCEPT
-A OUTPUT -p tcp -s 127.0.0.1 --dport 631 -j ACCEPT
-A OUTPUT -m owner --uid-owner 1000 -j DROP

COMMIT
# Completed on Fri Oct 12 16:33:33 2012

While I have some familiarity with iptables and its logic, I'm by no means anything more than a novice. I don't fully understand the rules above in their entirety, despite having read every doc and tutorial the Web has to offer on the subject. I'm using this setup as a means of ensuring some degree of anonymity and privacy along with security. Polipo is used to improve speed somewhat.

Please help... I have spent way too many hours on google looking for a comprehensive answer with little success and my poor little head is about to explode. *screams in frustration for emphasis*

[EDIT]

After more research, this is the configuration I've come up with:

# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*nat
:PREROUTING ACCEPT [12:3420]
:INPUT ACCEPT [1:261]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p tcp -m owner --uid-owner 1000 -j REDIRECT --to-ports 8123
-A OUTPUT -p udp -m owner --uid-owner 1000 --dport 53 -j REDIRECT --to-ports 9053
COMMIT
# Completed on Fri Oct 12 16:33:33 2012
# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*filter
:INPUT ACCEPT [9:1175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:488] 
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -s 127.0.0.1 --dport 631 -j ACCEPT
-A OUTPUT -p tcp -m owner --uid-owner 1000 -d 127.0.0.1 --dport 8123 -j ACCEPT
-A OUTPUT -p udp -m owner --uid-owner 1000 -d 127.0.0.1 --dport 9053 -j ACCEPT
-A OUTPUT -m owner --uid-owner 1000 -j DROP

COMMIT
# Completed on Fri Oct 12 16:33:33 2012

still doesn't work. I can get a "connected" message on firefox, but I can't actually load the webpage. I think the DNS bit is working and tor can establish a circuit, but nothing else works. As I said, tor+polipo works fine, even with the firewall up, so I don't think it's that tor can't access loopback or port 9050 (for local application connections). Frankly I'm flummoxed.

Last edited by ParanoidAndroid (2013-01-02 18:04:11)

Strike0 · 2012-12-31 02:19:22

It might help yourself, if you put comments to your rules for what they do. Also you might want to add relevant information on your daemon's config to your thread.

Redirecting everything will break the traffic for applications that are not socks5 aware as you will know. So another way is to configure those applications you want to/which can use directly for polipo/tor and just drop the rest of the traffic (or add exceptions). That's less sophisticated than your envisaged ruleset of course:

iptables -F OUTPUT
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner tor
iptables -A OUTPUT -j ACCEPT -o lo   
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT -p tcp --dport 631 
iptables -P OUTPUT DROP

ParanoidAndroid · 2012-12-31 02:23:32

previously I had used tor's transport and pointed all tcp traffic originating from user 1000 (which, according to a tutorial, is my user id) traffic to that using iptables. it worked fine, at least with firefox. I see where you're coming from, but I wonder why it worked with tor's TransPort and not with polipo?

Additionally, based on what you have there and what I have read, here is the new set of rules:

# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*nat
:PREROUTING ACCEPT [12:3420]
:INPUT ACCEPT [1:261]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 9053
COMMIT
# Completed on Fri Oct 12 16:33:33 2012
# Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
*filter
:INPUT DROP [9:1175]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [8:488]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT -m owner --uid-owner tor
-A OUTPUT -p tcp -d 127.0.0.1 --dport 8123 -j ACCEPT
-A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
#-A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 -j ACCEPT

COMMIT
# Completed on Fri Oct 12 16:33:33 2012

this routes dns queries through Tor, allows polipo, tor, and loopback to get through, and seals off all other ports. I think. I'll take some time to experiment, and make sure the rules work. they allow firefox when it's pointed at polipo, haven't tested it with other applications.

[EDIT]
Rules work, but one last question: are these secure? That is, do they leave the minimum required number of ports open, or is there more I can do?

Last edited by ParanoidAndroid (2013-01-02 04:16:52)

Strike0 · 2013-01-02 09:09:26

ParanoidAndroid wrote:

[EDIT]
Rules work, but one last question: are these secure? That is, do they leave the minimum required number of ports open, or is there more I can do?

Good, it works now. Consider marking it solved then. The key to the answer is when you changed the default outpout policy from ACCEPT in your first post to DROP now.

However, that only means packets towards the external network not matched by the other rules are dropped. Which ports are open on your machine depends on the running services and network configuration. That information is not touched in your posted config. So, noone can answer it except yourself. Have a look again at the wiki here, it's a real good write-up in my view and will give you further ideas for finetuning.

Arch Linux

#1 2012-12-29 05:52:23

iptables, tor and polipo chain not working, please help. [SOLVED]

#2 2012-12-31 02:19:22

Re: iptables, tor and polipo chain not working, please help. [SOLVED]

#3 2012-12-31 02:23:32

Re: iptables, tor and polipo chain not working, please help. [SOLVED]

#4 2013-01-02 09:09:26

Re: iptables, tor and polipo chain not working, please help. [SOLVED]

Board footer