|
|
= Blocking all local outbound non-Tor traffic with iptables =
|
|
|
A few simple {{{iptables}}} commands can achieve this. ('''Note:''' If you are using SSH, these will block you immediately!).
|
|
|
|
|
|
In order for these to work, you must ensure the {{{--uid-owner}}} option is followed by the Tor user account on your system. This user is {{{debian-tor}}} in both Debian and Ubuntu, Gentoo uses just {{{tor}}}, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command {{{cat /etc/passwd}}}.
|
|
|
|
|
|
As root, execute the following commands:
|
|
|
|
|
|
{{{
|
|
|
# iptables -F OUTPUT
|
|
|
# iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
|
|
|
# iptables -A OUTPUT -j ACCEPT -o lo
|
|
|
# iptables -A OUTPUT -j ACCEPT -p udp --dport 123
|
|
|
# iptables -P OUTPUT DROP
|
|
|
# iptables -L -v
|
|
|
}}}
|
|
|
|
|
|
The last command will display the number of packets that have been allowed through per rule or else dropped.
|
|
|
|
|
|
|
|
|
'''Notice:''' The line containing {{{iptables -A OUTPUT -j ACCEPT -p udp --dport 123}}} is used to allow outbound NTP connections that are not routed over Tor. The line containing {{{iptables -A OUTPUT -j ACCEPT -o lo}}} is used to allow traffic over the loopback device and is completely safe.
|
|
|
|
|
|
The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use {{{ip6tables}}}. Execute the following commands as root:
|
|
|
|
|
|
{{{
|
|
|
# ip6tables -F OUTPUT
|
|
|
# ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
|
|
|
# ip6tables -A OUTPUT -j ACCEPT -o lo
|
|
|
# ip6tables -P OUTPUT DROP
|
|
|
}}}
|
|
|
|
|
|
**
|
|
|
(addition by mathew, start)**
|
|
|
|
|
|
I worked out further on this. Will try to show the script that I use to run protection for system tor, as above, along with TBB-Tor.
|
|
|
Based on:
|
|
|
[https://trac.torproject.org/projects/tor/ticket/5741#comment:22 Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way)] and other tips (and some experience).
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!/bin/bash
|
|
|
echo; echo "++++++"
|
|
|
echo "Pls., just comment out all the \"sleep 2\" lines, once you figure out this script"
|
|
|
echo "It then runs in one go, no delays."
|
|
|
echo "++++++"; echo
|
|
|
|
|
|
# vars
|
|
|
iptables=/sbin/iptables
|
|
|
|
|
|
# Debian, Ubuntu... stock install
|
|
|
TOR_UID=$(id -u debian-tor)
|
|
|
echo \$TOR_UID: $TOR_UID
|
|
|
sleep 2
|
|
|
|
|
|
# After issued: "addgroup --system tbb-tor", with password ("gpasswd tbb-tor")
|
|
|
TBB_GID=$(cat /etc/group | grep tbb-tor | awk -F: '{ print $3 }')
|
|
|
echo \$TBB_GID: $TBB_GID
|
|
|
sleep 2
|
|
|
|
|
|
echo " * flushing old rules (filter)"
|
|
|
$iptables -t filter -X; $iptables -t filter -F
|
|
|
sleep 2
|
|
|
|
|
|
echo " * flushing the nat table"
|
|
|
$iptables -t nat -X; $iptables -t nat -F
|
|
|
sleep 2
|
|
|
|
|
|
echo " * flushing the mangle table"
|
|
|
$iptables -t mangle -X; $iptables -t mangle -F
|
|
|
sleep 2
|
|
|
|
|
|
echo " * flushing the raw table"
|
|
|
$iptables -t raw -X; $iptables -t raw -F
|
|
|
sleep 2
|
|
|
|
|
|
echo "cat /proc/sys/net/ipv4/ip_forward :"
|
|
|
cat /proc/sys/net/ipv4/ip_forward
|
|
|
sleep 2
|
|
|
|
|
|
echo " * Set default policies for INPUT FORWARD (OUTPUT commented out)"
|
|
|
$iptables -P INPUT DROP
|
|
|
$iptables -P FORWARD DROP
|
|
|
sleep 2
|
|
|
|
|
|
echo " * Enable free use of loopback interface on INPUT"
|
|
|
$iptables -I INPUT 1 -i lo -j ACCEPT
|
|
|
sleep 2
|
|
|
|
|
|
echo " * All TCP sessions should begin with SYN"
|
|
|
$iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level error --log-prefix tor_rules_no_syn
|
|
|
$iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
|
sleep 2
|
|
|
|
|
|
echo " * Allow ESTABLISHED packets at INTPUT"
|
|
|
#$iptables -A INPUT -m state --state ESTABLISHED -j LOG --log-level error --log-prefix tor_rules_est
|
|
|
# acceptable option s/ESTABLISHED/ESTABLISHED,RELATED/ instead
|
|
|
$iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
|
|
|
sleep 2
|
|
|
#
|
|
|
#
|
|
|
echo " * Enable free use of loopback interface on OUTPUT"
|
|
|
$iptables -A OUTPUT -o lo -j ACCEPT
|
|
|
sleep 2
|
|
|
|
|
|
echo " * allowing all if owner debian-tor at OUTPUT"
|
|
|
$iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
|
|
|
|
|
|
#
|
|
|
echo " * allowing all if gid-owner tbb-tor at OUTPUT"
|
|
|
$iptables -A OUTPUT -m owner --gid-owner $TBB_GID -j ACCEPT
|
|
|
sleep 2
|
|
|
|
|
|
echo " * DROP everything else and Log it"
|
|
|
$iptables -P OUTPUT DROP
|
|
|
sleep 2
|
|
|
|
|
|
echo " * saving settings"
|
|
|
/sbin/iptables-save > /etc/iptables.up.rules
|
|
|
|
|
|
}}}
|
|
|
|
|
|
As root, chmod 700 <the-above-script>. Execute it as root. And a little more to do...
|
|
|
|
|
|
You need to change group ownership of the entire Tor Browser Bundle uncompressed archive (for which we created the group tbb-tor), like (if I remember correctly):
|
|
|
|
|
|
{{{
|
|
|
# chgrp -R tbb-tor tor-browser_en-US/
|
|
|
}}}
|
|
|
|
|
|
What I do know, is than no packets go out into deep web from the machine with iptables set with the script like that one mine above (pls. do check if I made any typoes...). It's only Tor. And you can run both the Debian system tor and the Tor Browser Bundle. Only to darkweb the traffic goes...
|
|
|
|
|
|
And you run the TBB like this:
|
|
|
{{{
|
|
|
$ cd tor-browser_en-US/
|
|
|
$ sg tbb-tor -c ./start-tor-browser
|
|
|
}}}
|
|
|
**
|
|
|
(end of mathew's addition)**
|
|
|
|