One more attempt... iptables -t nat -a PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports 9040 And the rules that I'm considering...
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPTiptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Apologies for the spam! > From: [email protected] > To: [email protected] > Date: Sat, 17 May 2014 14:59:23 +0000 > Subject: [tor-talk] Isolating Proxy and iptables. > > I'm setting up a Tor-based isolating proxy using the 'Anonymizing Middlebox' > iptables rules specified here: > https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy > i.e. > iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT > --to-ports 53iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j > REDIRECT --to-ports 9040 > ...and the INPUT, OUTPUT and FORWARD chains are left at the default. Would > there be any merit to also including the following rules? > iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP > iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPTiptables -A OUTPUT -m state --state > ESTABLISHED,RELATED -j ACCEPT > Or are they rendered unnecessary by my current setup? > Are there any other firewall rules that I should consider in order to improve > security and ensure that all traffic is torified? > Many thanks. > -- > tor-talk mailing list - [email protected] > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
