Changes

Page history
Apply conversion script to all *.md files. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/BlockingNonTorTraffic.md
View page @ a1a4b621
= Blocking all local outbound non-Tor traffic with iptables = # Blocking all local outbound non-Tor traffic with iptables
A few simple {{{iptables}}} commands can achieve this. ('''Note:''' If you are using SSH, these will block you immediately!). A few simple `iptables` commands can achieve this. (**Note:** If you are using SSH, these will block you immediately!).
In order for these to work, you must ensure the {{{--uid-owner}}} option is followed by the Tor user account on your system. This user is {{{debian-tor}}} in both Debian and Ubuntu, Gentoo uses just {{{tor}}}, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command {{{cat /etc/passwd}}}. In order for these to work, you must ensure the `--uid-owner` option is followed by the Tor user account on your system. This user is `debian-tor` in both Debian and Ubuntu, Gentoo uses just `tor`, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command `cat /etc/passwd`.
As root, execute the following commands: As root, execute the following commands:
{{{ ```
# iptables -F OUTPUT # iptables -F OUTPUT
# iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor # iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# iptables -A OUTPUT -j ACCEPT -o lo # iptables -A OUTPUT -j ACCEPT -o lo
# iptables -A OUTPUT -j ACCEPT -p udp --dport 123 # iptables -A OUTPUT -j ACCEPT -p udp --dport 123
# iptables -P OUTPUT DROP # iptables -P OUTPUT DROP
# iptables -L -v # iptables -L -v
}}} ```
The last command will display the number of packets that have been allowed through per rule or else dropped. The last command will display the number of packets that have been allowed through per rule or else dropped.
'''Notice:''' The line containing {{{iptables -A OUTPUT -j ACCEPT -p udp --dport 123}}} is used to allow outbound NTP connections that are not routed over Tor. The line containing {{{iptables -A OUTPUT -j ACCEPT -o lo}}} is used to allow traffic over the loopback device and is completely safe. **Notice:** The line containing `iptables -A OUTPUT -j ACCEPT -p udp --dport 123` is used to allow outbound NTP connections that are not routed over Tor. The line containing `iptables -A OUTPUT -j ACCEPT -o lo` is used to allow traffic over the loopback device and is completely safe.
The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use {{{ip6tables}}}. Execute the following commands as root: The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use `ip6tables`. Execute the following commands as root:
{{{ ```
# ip6tables -F OUTPUT # ip6tables -F OUTPUT
# ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor # ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# ip6tables -A OUTPUT -j ACCEPT -o lo # ip6tables -A OUTPUT -j ACCEPT -o lo
# ip6tables -P OUTPUT DROP # ip6tables -P OUTPUT DROP
}}} ```
** **
(addition by mathew, start)** (addition by mathew, start)**
I worked out further on this. Will try to show the script that I use to run protection for system tor, as above, along with TBB-Tor. I worked out further on this. Will try to show the script that I use to run protection for system tor, as above, along with TBB-Tor.
Based on: Based on:
[https://trac.torproject.org/projects/tor/ticket/5741#comment:22 Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way)] and other tips (and some experience). [Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way)](https://trac.torproject.org/projects/tor/ticket/5741#comment:22) and other tips (and some experience).
{{{ ```
#!/bin/bash
echo; echo "++++++" echo; echo "++++++"
echo "Pls., just comment out all the \"sleep 2\" lines, once you figure out this script" echo "Pls., just comment out all the \"sleep 2\" lines, once you figure out this script"
echo "It then runs in one go, no delays." echo "It then runs in one go, no delays."
...@@ -116,23 +115,23 @@ sleep 2 ...@@ -116,23 +115,23 @@ sleep 2
echo " * saving settings" echo " * saving settings"
/sbin/iptables-save > /etc/iptables.up.rules /sbin/iptables-save > /etc/iptables.up.rules
}}} ```
As root, chmod 700 <the-above-script>. Execute it as root. And a little more to do... As root, chmod 700 <the-above-script>. Execute it as root. And a little more to do...
You need to change group ownership of the entire Tor Browser Bundle uncompressed archive (for which we created the group tbb-tor), like (if I remember correctly): You need to change group ownership of the entire Tor Browser Bundle uncompressed archive (for which we created the group tbb-tor), like (if I remember correctly):
{{{ ```
# chgrp -R tbb-tor tor-browser_en-US/ # chgrp -R tbb-tor tor-browser_en-US/
}}} ```
What I do know, is than no packets go out into deep web from the machine with iptables set with the script like that one mine above (pls. do check if I made any typoes...). It's only Tor. And you can run both the Debian system tor and the Tor Browser Bundle. Only to darkweb the traffic goes... What I do know, is than no packets go out into deep web from the machine with iptables set with the script like that one mine above (pls. do check if I made any typoes...). It's only Tor. And you can run both the Debian system tor and the Tor Browser Bundle. Only to darkweb the traffic goes...
And you run the TBB like this: And you run the TBB like this:
{{{ ```
$ cd tor-browser_en-US/ $ cd tor-browser_en-US/
$ sg tbb-tor -c ./start-tor-browser $ sg tbb-tor -c ./start-tor-browser
}}} ```
** **
(end of mathew's addition)** (end of mathew's addition)**