|
|
= Blocking all local outbound non-Tor traffic with iptables =
|
|
|
A few simple {{{iptables}}} commands can achieve this. ('''Note:''' If you are using SSH, these will block you immediately!).
|
|
|
# Blocking all local outbound non-Tor traffic with iptables
|
|
|
A few simple `iptables` commands can achieve this. (**Note:** If you are using SSH, these will block you immediately!).
|
|
|
|
|
|
In order for these to work, you must ensure the {{{--uid-owner}}} option is followed by the Tor user account on your system. This user is {{{debian-tor}}} in both Debian and Ubuntu, Gentoo uses just {{{tor}}}, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command {{{cat /etc/passwd}}}.
|
|
|
In order for these to work, you must ensure the `--uid-owner` option is followed by the Tor user account on your system. This user is `debian-tor` in both Debian and Ubuntu, Gentoo uses just `tor`, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command `cat /etc/passwd`.
|
|
|
|
|
|
As root, execute the following commands:
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
# iptables -F OUTPUT
|
|
|
# iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
|
|
|
# iptables -A OUTPUT -j ACCEPT -o lo
|
|
|
# iptables -A OUTPUT -j ACCEPT -p udp --dport 123
|
|
|
# iptables -P OUTPUT DROP
|
|
|
# iptables -L -v
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
The last command will display the number of packets that have been allowed through per rule or else dropped.
|
|
|
|
|
|
|
|
|
'''Notice:''' The line containing {{{iptables -A OUTPUT -j ACCEPT -p udp --dport 123}}} is used to allow outbound NTP connections that are not routed over Tor. The line containing {{{iptables -A OUTPUT -j ACCEPT -o lo}}} is used to allow traffic over the loopback device and is completely safe.
|
|
|
**Notice:** The line containing `iptables -A OUTPUT -j ACCEPT -p udp --dport 123` is used to allow outbound NTP connections that are not routed over Tor. The line containing `iptables -A OUTPUT -j ACCEPT -o lo` is used to allow traffic over the loopback device and is completely safe.
|
|
|
|
|
|
The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use {{{ip6tables}}}. Execute the following commands as root:
|
|
|
The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use `ip6tables`. Execute the following commands as root:
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
# ip6tables -F OUTPUT
|
|
|
# ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
|
|
|
# ip6tables -A OUTPUT -j ACCEPT -o lo
|
|
|
# ip6tables -P OUTPUT DROP
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
**
|
|
|
(addition by mathew, start)**
|
|
|
|
|
|
I worked out further on this. Will try to show the script that I use to run protection for system tor, as above, along with TBB-Tor.
|
|
|
Based on:
|
|
|
[https://trac.torproject.org/projects/tor/ticket/5741#comment:22 Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way)] and other tips (and some experience).
|
|
|
[Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way)](https://trac.torproject.org/projects/tor/ticket/5741#comment:22) and other tips (and some experience).
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!/bin/bash
|
|
|
```
|
|
|
echo; echo "++++++"
|
|
|
echo "Pls., just comment out all the \"sleep 2\" lines, once you figure out this script"
|
|
|
echo "It then runs in one go, no delays."
|
... | ... | @@ -116,23 +115,23 @@ sleep 2 |
|
|
echo " * saving settings"
|
|
|
/sbin/iptables-save > /etc/iptables.up.rules
|
|
|
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
As root, chmod 700 <the-above-script>. Execute it as root. And a little more to do...
|
|
|
|
|
|
You need to change group ownership of the entire Tor Browser Bundle uncompressed archive (for which we created the group tbb-tor), like (if I remember correctly):
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
# chgrp -R tbb-tor tor-browser_en-US/
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
What I do know, is than no packets go out into deep web from the machine with iptables set with the script like that one mine above (pls. do check if I made any typoes...). It's only Tor. And you can run both the Debian system tor and the Tor Browser Bundle. Only to darkweb the traffic goes...
|
|
|
|
|
|
And you run the TBB like this:
|
|
|
{{{
|
|
|
```
|
|
|
$ cd tor-browser_en-US/
|
|
|
$ sg tbb-tor -c ./start-tor-browser
|
|
|
}}}
|
|
|
```
|
|
|
**
|
|
|
(end of mathew's addition)**
|
|
|
|