= Blocking all local outbound non-Tor traffic with iptables =
A few simple {{{iptables}}} commands can achieve this. ('''Note:''' If you are using SSH, these will block you immediately!).
In order for these to work, you must ensure the {{{--uid-owner}}} option is followed by the Tor user account on your system. This user is {{{debian-tor}}} in both Debian and Ubuntu, Gentoo uses just {{{tor}}}, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command {{{cat /etc/passwd}}}.
As root, execute the following commands:
{{{
# iptables -F OUTPUT
# iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# iptables -A OUTPUT -j ACCEPT -o lo
# iptables -A OUTPUT -j ACCEPT -p udp --dport 123
# iptables -P OUTPUT DROP
# iptables -L -v
}}}
The last command will display the number of packets that have been allowed through per rule or else dropped.
'''Notice:''' The line containing {{{iptables -A OUTPUT -j ACCEPT -p udp --dport 123}}} is used to allow outbound NTP connections that are not routed over Tor. The line containing {{{iptables -A OUTPUT -j ACCEPT -o lo}}} is used to allow traffic over the loopback device and is completely safe.
The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use {{{ip6tables}}}. Execute the following commands as root:
{{{
# ip6tables -F OUTPUT
# ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# ip6tables -A OUTPUT -j ACCEPT -o lo
# ip6tables -P OUTPUT DROP
}}}
**
(addition by mathew, start)**
I worked out further on this. Will try to show the script that I use to run protection for system tor, as above, along with TBB-Tor.
Based on:
[https://trac.torproject.org/projects/tor/ticket/5741#comment:22 Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way)] and other tips (and some experience).
{{{
#!/bin/bash
echo; echo "++++++"
echo "Pls., just comment out all the \"sleep 2\" lines, once you figure out this script"
echo "It then runs in one go, no delays."
echo "++++++"; echo
# vars
iptables=/sbin/iptables
# Debian, Ubuntu... stock install
TOR_UID=$(id -u debian-tor)
echo \$TOR_UID: $TOR_UID
sleep 2
# After issued: "addgroup --system tbb-tor", with password ("gpasswd tbb-tor")
$iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sleep 2
#
#
echo " * Enable free use of loopback interface on OUTPUT"
$iptables -A OUTPUT -o lo -j ACCEPT
sleep 2
echo " * allowing all if owner debian-tor at OUTPUT"
$iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
#
echo " * allowing all if gid-owner tbb-tor at OUTPUT"
$iptables -A OUTPUT -m owner --gid-owner $TBB_GID -j ACCEPT
sleep 2
echo " * DROP everything else and Log it"
$iptables -P OUTPUT DROP
sleep 2
echo " * saving settings"
/sbin/iptables-save > /etc/iptables.up.rules
}}}
As root, chmod 700 <the-above-script>. Execute it as root. And a little more to do...
You need to change group ownership of the entire Tor Browser Bundle uncompressed archive (for which we created the group tbb-tor), like (if I remember correctly):
{{{
# chgrp -R tbb-tor tor-browser_en-US/
}}}
What I do know, is than no packets go out into deep web from the machine with iptables set with the script like that one mine above (pls. do check if I made any typoes...). It's only Tor. And you can run both the Debian system tor and the Tor Browser Bundle. Only to darkweb the traffic goes...
