= Blocking all local outbound non-Tor traffic with iptables =
A few simple {{{iptables}}} commands can achieve this. ('''Note:''' If you are using SSH, these will block you immediately!).
# Blocking all local outbound non-Tor traffic with iptables
A few simple `iptables` commands can achieve this. (**Note:** If you are using SSH, these will block you immediately!).
In order for these to work, you must ensure the {{{--uid-owner}}} option is followed by the Tor user account on your system. This user is {{{debian-tor}}} in both Debian and Ubuntu, Gentoo uses just {{{tor}}}, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command {{{cat /etc/passwd}}}.
In order for these to work, you must ensure the `--uid-owner` option is followed by the Tor user account on your system. This user is `debian-tor` in both Debian and Ubuntu, Gentoo uses just `tor`, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command `cat /etc/passwd`.
As root, execute the following commands:
{{{
```
# iptables -F OUTPUT
# iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# iptables -A OUTPUT -j ACCEPT -o lo
# iptables -A OUTPUT -j ACCEPT -p udp --dport 123
# iptables -P OUTPUT DROP
# iptables -L -v
}}}
```
The last command will display the number of packets that have been allowed through per rule or else dropped.
'''Notice:''' The line containing {{{iptables -A OUTPUT -j ACCEPT -p udp --dport 123}}} is used to allow outbound NTP connections that are not routed over Tor. The line containing {{{iptables -A OUTPUT -j ACCEPT -o lo}}} is used to allow traffic over the loopback device and is completely safe.
**Notice:** The line containing `iptables -A OUTPUT -j ACCEPT -p udp --dport 123` is used to allow outbound NTP connections that are not routed over Tor. The line containing `iptables -A OUTPUT -j ACCEPT -o lo` is used to allow traffic over the loopback device and is completely safe.
The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use {{{ip6tables}}}. Execute the following commands as root:
The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use `ip6tables`. Execute the following commands as root:
{{{
```
# ip6tables -F OUTPUT
# ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# ip6tables -A OUTPUT -j ACCEPT -o lo
# ip6tables -P OUTPUT DROP
}}}
```
**
(addition by mathew, start)**
I worked out further on this. Will try to show the script that I use to run protection for system tor, as above, along with TBB-Tor.
Based on:
[https://trac.torproject.org/projects/tor/ticket/5741#comment:22 Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way)] and other tips (and some experience).
[Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way)](https://trac.torproject.org/projects/tor/ticket/5741#comment:22) and other tips (and some experience).
{{{
#!/bin/bash
```
echo; echo "++++++"
echo "Pls., just comment out all the \"sleep 2\" lines, once you figure out this script"
echo "It then runs in one go, no delays."
...
...
@@ -116,23 +115,23 @@ sleep 2
echo " * saving settings"
/sbin/iptables-save > /etc/iptables.up.rules
}}}
```
As root, chmod 700 <the-above-script>. Execute it as root. And a little more to do...
You need to change group ownership of the entire Tor Browser Bundle uncompressed archive (for which we created the group tbb-tor), like (if I remember correctly):
{{{
```
# chgrp -R tbb-tor tor-browser_en-US/
}}}
```
What I do know, is than no packets go out into deep web from the machine with iptables set with the script like that one mine above (pls. do check if I made any typoes...). It's only Tor. And you can run both the Debian system tor and the Tor Browser Bundle. Only to darkweb the traffic goes...
