You are not logged in.

#1 2019-05-27 15:40:41

greatest_username
Member
Registered: 2018-12-27
Posts: 35

How do I setup iptables so only Tor Browser traffic is allowed?

Hi,

I am trying to configure iptables so all traffic is blocked except traffic from the Tor Browser.

To allow only Tor Browser traffic, I have tried to add "--uid-owner tor" to only allow traffic from the user "tor" but this only works with a separate Tor daemon and not the one that comes with the Tor Browser so Tor Browser traffic is still being blocked.

What other way can I allow Tor Browser traffic through?

Is it possible to make the user "tor" start the Tor Browser's Tor daemon?

I know I can use a separate Tor daemon with the Tor Browser but I only want to use that as a last resort.

I do not want to force all traffic through Tor with a transparent proxy. I only want to block non-Tor traffic.

I have tried to allow traffic from port 9150 with

iptables -A OUTPUT -p tcp --dport 9150 -j ACCEPT

but this doesn't work. I am not entirely sure that this is correct as I'm not that great with iptables.

If anyone could help me with this then that would be greatly appreciated.

Offline

#2 2019-05-27 17:24:01

Koatao
Member
Registered: 2018-08-30
Posts: 92

Re: How do I setup iptables so only Tor Browser traffic is allowed?

Hi,
Could you post a full list of Iptables rules?

It seems to me that you've allowed traffic to go out, but not to go back in.

I don't know how TOR Browser works, but communication is a two ways street!

Last edited by Koatao (2019-05-27 17:24:21)

Offline

#3 2019-05-27 18:34:50

greatest_username
Member
Registered: 2018-12-27
Posts: 35

Re: How do I setup iptables so only Tor Browser traffic is allowed?

My iptables rules are

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p tcp --dport 9150 -j ACCEPT
iptables -A OUTPUT -j REJECT

The Tor Browser's Tor daemon uses port 9150. The second last rule is meant to allow it network access. I have tried also using

iptables -A INPUT -p tcp --dport 9150 -j ACCEPT 

with the other rules but it still doesn't work.

Offline

#4 2019-05-28 10:30:31

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: How do I setup iptables so only Tor Browser traffic is allowed?

Those are not your iptables rules, but the commands you gave to iptables from commandline (or script).

please post iptables -nvL --line-numbers or iptables-save


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#5 2019-05-28 20:42:42

greatest_username
Member
Registered: 2018-12-27
Posts: 35

Re: How do I setup iptables so only Tor Browser traffic is allowed?

Sorry. I didn't think it mattered if I used iptables-save or not. I thought the commands would have been fine.

# Generated by iptables-save v1.8.2 on Tue May 28 13:41:21 2019
*security
:INPUT ACCEPT [41:11528]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:5449]
COMMIT
# Completed on Tue May 28 13:41:21 2019
# Generated by iptables-save v1.8.2 on Tue May 28 13:41:21 2019
*raw
:PREROUTING ACCEPT [50:16775]
:OUTPUT ACCEPT [66:32045]
COMMIT
# Completed on Tue May 28 13:41:21 2019
# Generated by iptables-save v1.8.2 on Tue May 28 13:41:21 2019
*mangle
:PREROUTING ACCEPT [51:16815]
:INPUT ACCEPT [51:16815]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:32045]
:POSTROUTING ACCEPT [28:5449]
COMMIT
# Completed on Tue May 28 13:41:21 2019
# Generated by iptables-save v1.8.2 on Tue May 28 13:41:21 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue May 28 13:41:21 2019
# Generated by iptables-save v1.8.2 on Tue May 28 13:41:21 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [9:12320]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9150 -j ACCEPT
COMMIT
# Completed on Tue May 28 13:41:21 2019

Offline

#6 2019-05-29 08:18:32

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: How do I setup iptables so only Tor Browser traffic is allowed?

Some applications add their own stuff to iptables / nftables, the only way to be sure what's set is to check the used rules.

I don't know if what you want can be done with iptables, but maybe you should rethink.

I only want to block non-Tor traffic

What about network traffic protocols like rsync, dhcp , dns , ntp, smtp ?

Is your goal something like : I want to make sure http / https traffic can only go outside of my machine when it comes from tor browser ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#7 2019-05-29 17:43:39

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: How do I setup iptables so only Tor Browser traffic is allowed?

@Lone_wolf what about partitioning the allowed traffic based on uid?  Run tor on a given uid and only that uid allows outbound connections on interfaces other than lo.

Offline

#8 2019-05-29 22:30:46

greatest_username
Member
Registered: 2018-12-27
Posts: 35

Re: How do I setup iptables so only Tor Browser traffic is allowed?

The Tor Browser connects to the Tor daemon which then uses TCP on port 9150 to connect to the Tor network. I should just be able to allow TCP traffic coming out of port 9150 but that doesn't seem to be working so I need to either find a way to fix it or do a completely different way such as making the Tor Browser's Tor daemon use the "tor" user so I can just allow that user.

What about network traffic protocols like rsync, dhcp , dns , ntp, smtp ?

This firewall won't be on all the time so those can still be used when it's not in use. Tor uses IP address to connect to the nodes and then it uses the node's DNS servers for domain name resolution so I don't need to allow any DNS traffic.

Is your goal something like : I want to make sure http / https traffic can only go outside of my machine when it comes from tor browser ?

No, I want to make sure only Tor Browser traffic can leave my machine. All other connections and protocols will be blocked. This prevents an adversary from compromising the Tor Browser and then sending a connection over the clearnet to reveal my IP address and other information. This has happened before.

@Lone_wolf what about partitioning the allowed traffic based on uid?  Run tor on a given uid and only that uid allows outbound connections on interfaces other than lo.

This is a good idea and is why I want to find a way to start the Tor daemon by the user "tor" as I can just allow that user.

Offline

#9 2019-05-29 23:19:56

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: How do I setup iptables so only Tor Browser traffic is allowed?

@greatest_username see the tor.service suuplied by the tor package.
Are you sure tor only uses tcp 9150?  You could monitor connections tor makes when the firewall is disabled or add a logging rule for traffic in the output table before if is rejected.

Offline

#10 2019-05-30 12:40:22

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: How do I setup iptables so only Tor Browser traffic is allowed?

Tor uses IP address to connect to the nodes and then it uses the node's DNS servers for domain name resolution so I don't need to allow any DNS traffic.

In order for the tor browser to communicate with the tor node dns servers it needs to use dns protocols which means there will be dns traffic .

To make sure https / tls / ssl connections work, the clock of the system needs to be very accurate. By far the easiest way to do this is using the Network Time Protocol thus you need to allow ntp traffic .

In order to get an ip-address you need dhcp traffic or a static network setup.
Do you have the skills to create and manage a static network ?
If not, you need dhcp traffic.


I could list several more things, but I hope this makes clear you need many network protocols for networking to work at all.


I think your goal would be much easier to reach by running tor browser in a hardened virtual machine with a minimal installation, no access to physical host devices and  only allowing connections to tor nodes over a vpn connection
(The vpn connection would be setup outside of the VM)

DIsclaimer : I do have some security experience, but don't consider myself a security expert. There may be better solutions.

Last edited by Lone_Wolf (2019-05-30 12:41:17)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#11 2019-05-30 14:01:46

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: How do I setup iptables so only Tor Browser traffic is allowed?

Lone_Wolf you are assuming tor address nodes by name rather than IP.
My understanding is the directory authority address IP address are hardcoded into the source code.
The consensus is downloaded from the directory authority (which includes the IP address of other nodes)
Resolution of an address is performed over the tor network on a connection setup without using external DNS.

Why not run tor outside the virtual machine and only alow connections from the VM to tor?

Offline

#12 2019-05-30 14:35:02

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: How do I setup iptables so only Tor Browser traffic is allowed?

I'm assuming at some point the user wants to visit some site of which the ip-address is not known locally.
Whether that is resolved through dns, dnssec, tordns or guaranteed-secure-dns-from-the-future , it still is dns traffic.

If the tor browser includes a dns resolver, this could be called "tor browser traffic" .
In case the tor browser does use a dns resolver outside of the tor browser, it's not "tor browser traffic" anymore.
Does the tor broswer know how to get an ip-address and routes to other networks ?

Sofar OP insists on running tor browser and only allowing network traffic from tor browser.
That is  a misunderstanding not unlike  "my system doesn't boot" when someone forgot to power their screen.


Having the VM connect to a local instance of TOR would be possible and a further improvement, but there are many other possibilities.
OP needs to decide what they want and how many resources they're willing to use for it.

Last edited by Lone_Wolf (2019-05-30 14:35:45)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#13 2019-05-30 15:20:48

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: How do I setup iptables so only Tor Browser traffic is allowed?

I think the 9150 port greatest_username references is the socks port tor opens locally and the destination is specified as a hostname using socks 4a / socks 5 which tor resolves internally.

As you point out only allowing traffic to port 9150 would not work even if all tor nodes used port 9150 due to the need to use other services in many use cases.

Offline

#14 2019-05-30 19:31:25

greatest_username
Member
Registered: 2018-12-27
Posts: 35

Re: How do I setup iptables so only Tor Browser traffic is allowed?

@greatest_username see the tor.service suuplied by the tor package.
Are you sure tor only uses tcp 9150?  You could monitor connections tor makes when the firewall is disabled or add a logging rule for traffic in the output table before if is rejected.

The Tor package is different from the one that comes with the Tor Browser. The Tor Browser one is configured specially for the Tor Browser and uses 9150 as it's default SocksPort. Other ports can be configured but I haven't done this.

In order for the tor browser to communicate with the tor node dns servers it needs to use dns protocols which means there will be dns traffic .

No, Tor uses IP addresses to connect to the network. No DNS is used. You can test this by setting your DNS to 0.0.0.0 and opening the Tor Browser. It'll still work.

To make sure https / tls / ssl connections work, the clock of the system needs to be very accurate. By far the easiest way to do this is using the Network Time Protocol thus you need to allow ntp traffic .

In order to get an ip-address you need dhcp traffic or a static network setup.
Do you have the skills to create and manage a static network ?
If not, you need dhcp traffic.

I've already said the firewall won't be on at all times so these protocols can be used before the firewall is created or after it is disabled. Also, https doesn't need an extremely accurate time to work. It can be set back by a few hours and it will still work.

I think your goal would be much easier to reach by running tor browser in a hardened virtual machine with a minimal installation, no access to physical host devices and  only allowing connections to tor nodes over a vpn connection

VMs don't run well on my machine and a VPN doesn't increase anonymity.

I'm assuming at some point the user wants to visit some site of which the ip-address is not known locally.
Whether that is resolved through dns, dnssec, tordns or guaranteed-secure-dns-from-the-future , it still is dns traffic.

It will use the exit node's DNS. No DNS is required on my end.

Sofar OP insists on running tor browser and only allowing network traffic from tor browser.
That is  a misunderstanding not unlike  "my system doesn't boot" when someone forgot to power their screen.

It isn't a misunderstanding. I have done this before with a separate Tor daemon. I'm just having trouble using it with the Tor Browser.

As you point out only allowing traffic to port 9150 would not work even if all tor nodes used port 9150 due to the need to use other services in many use cases.

I don't want to allow traffic to port 9150 but out of port 9150 on my machine as that is what Tor uses as its default SocksPort. I have already said the firewall won't be on all the time so those other services can be used at another time.

Offline

#15 2019-05-30 20:52:41

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: How do I setup iptables so only Tor Browser traffic is allowed?

greatest_username wrote:

I don't want to allow traffic to port 9150 but out of port 9150 on my machine as that is what Tor uses as its default SocksPort. I have already said the firewall won't be on all the time so those other services can be used at another time.

What about traffic from tor to the tor network? (which is not the same as the local socks proxy)

Offline

#16 2019-05-31 10:35:51

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,866

Re: How do I setup iptables so only Tor Browser traffic is allowed?

greatest_username wrote:

VMs don't run well on my machine and a VPN doesn't increase anonymity.

The hardenend minimal VM I had in mind will require approx 2 GiB diskspace and 512 Mib memory, maybe less.
Is your machine so limited it can't  provide that ?

Everyone who understands how a VPN works knows it's a great way to improve security and has nothing to do with anonimity.

greatest_username wrote:

It will use the exit node's DNS. No DNS is required on my end.

You don't understand how the DNS protocol works.


I tried to use my network and security knowledge to help you run tor browser in an environment with a small attacksurface.
When an attacker would breach the tor browser, they'd still be contained by the VM and could do very little damage.

You don't seem to be interested in that but prefer a big attacksurface with very little containment.

configure xhost to allow a non-root user to access your X display, use su to start tor browser as that user.
That should allow you to setup 2 sets of firewall rules :
one with the basics and one just for the tor user.

Have fun setting it up.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#17 2019-05-31 23:37:02

greatest_username
Member
Registered: 2018-12-27
Posts: 35

Re: How do I setup iptables so only Tor Browser traffic is allowed?

What about traffic from tor to the tor network? (which is not the same as the local socks proxy)

Traffic leaves from my machine to go to the Tor network from port 9150.

Everyone who understands how a VPN works knows it's a great way to improve security and has nothing to do with anonimity.

Improves security by tunneling your entire connection through a stranger's server who is in a position to log and mitm all of your traffic consistently? I don't think so. VPNs are just glorified proxies.

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h.html

VPNs are also easily compromised with traffic analysis attacks or a hacked server.

You don't understand how the DNS protocol works.

Yes I do. DNS resolves IP addresses from hostnames but as the Tor client uses IP addresses already, no DNS is needed. Tor then uses the exit node's DNS for all websites you'd visit.

https://gitweb.torproject.org/torspec.g … 2c62#n1475

I tried to use my network and security knowledge to help you run tor browser in an environment with a small attacksurface.

Which is not what I asked for. I asked for firewall rules. I already have knowledge in sandboxing and similar.

When an attacker would breach the tor browser, they'd still be contained by the VM and could do very little damage.

Yes, I know. I put the Tor Browser in a bunch of protections such as AppArmor and Firejail/Bubblewrap to confine it as much as possible. I know it's not as much as a VM but it isn't as little as you think.

You don't seem to be interested in that but prefer a big attacksurface with very little containment.

No, I prefer lightweight sandboxing tools along with clearnet leak protection (my original question).

configure xhost to allow a non-root user to access your X display, use su to start tor browser as that user.

That would allow an attacker that if they compromised the sandbox would have shell access and then be able to leak outside of Tor. Something like the "tor" user cannot be used in that way as there is no way to login as it.

Thank you though as this may be a possible solution. I will test it.

Have fun setting it up.

That sounds easy. Why do you talk as if it's going to be difficult?

Offline

#18 2019-05-31 23:41:20

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: How do I setup iptables so only Tor Browser traffic is allowed?

greatest_username wrote:

What about traffic from tor to the tor network? (which is not the same as the local socks proxy)

Traffic leaves from my machine to go to the Tor network from port 9150.

You are mistaken and can verify this is not the case this with ss or any other connection monitor / traffic analyzer or packet capture tool.
Edit:
process tor 127.0.0.1:random -> 127.0.0.1:9150 (are the tor socks connections)
process tor 127.0.0.1:random -> 127.0.0.1:9151 (are the tor control connections)
process tor local IP:random -> remote IP:random (are the connections to the tor network)

Last edited by loqs (2019-05-31 23:50:58)

Offline

#19 2019-06-01 13:34:22

greatest_username
Member
Registered: 2018-12-27
Posts: 35

Re: How do I setup iptables so only Tor Browser traffic is allowed?

You are mistaken and can verify this is not the case this with ss or any other connection monitor / traffic analyzer or packet capture tool.

Thank you! I was mistaken. I checked wireshark and you were right. I can't allow traffic this way then. What other way can I do this?

Offline

#20 2019-06-03 22:44:17

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: How do I setup iptables so only Tor Browser traffic is allowed?

The issue is how to identify the tor -> tor network traffic.
I can think of two approaches:
  1) use a separate username / uid either:
    1a) login as the new user
    1b) su / sudo to the user may need xhost +si:localuser:username and or dbus-launch,  may have issues related to audio / video groups.
  2) create an ipset with all ip+ports of the tor nodes needs some method to populate / maintain the set.

Offline

#21 2019-06-05 19:37:39

greatest_username
Member
Registered: 2018-12-27
Posts: 35

Re: How do I setup iptables so only Tor Browser traffic is allowed?

2) create an ipset with all ip+ports of the tor nodes needs some method to populate / maintain the set.

Thanks! This sounds like a good idea. I can get a list of all the entry nodes by running

grep -B2 "^s.*Guard" tor-browser_en-US/Browser/TorBrowser/Data/Tor/cached-microdesc-consensus | grep "^r" | awk '{print $6 ":" $7}'

and create the ipset with that.

Offline

#22 2019-06-05 23:14:37

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: How do I setup iptables so only Tor Browser traffic is allowed?

I would add the rest of the nodes to another ipset and use that for a log rule and then another log rule for traffic that is not in either of the ipsets so you can see what if anything is bring dropped.

Offline

#23 2019-11-21 00:54:14

vyachkonovalov
Member
From: Russia, Perm
Registered: 2019-11-21
Posts: 1
Website

Re: How do I setup iptables so only Tor Browser traffic is allowed?

What about this solution?
The idea is to force Tor Browser to use systemd tor service and allow traffic only for tor user.

shell as root

pacman -S tor

/etc/tor/torrc

SOCKSPolicy accept 127.0.0.1
SOCKSPolicy reject *
Log notice syslog
DataDirectory /var/lib/tor

shell as root

iptables -F OUTPUT
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner tor
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A OUTPUT -j ACCEPT -p udp --dport 123
iptables -P OUTPUT DROP
iptables -L -v

Source: Blocking all local outbound non-Tor traffic with iptables

shell as root

systemctl restart tor

shell as regular user

TOR_SKIP_LAUNCH=1 TOR_SOCKS_PORT=9050 tor-browser

I checked and it works.
For testing you can open facebookcorewwwi.onion or ipinfo.io/country
Tor Browser's start page will show "Something Went Wrong! Tor is not working in this browser.", just ignore it.

Tor version 0.4.1.6
Tor Browser 9.0.1 (based on Mozilla Firefox 68.2.0esr)

Last edited by vyachkonovalov (2019-11-21 00:57:36)

Offline

Board footer

Powered by FluxBB