Re: [tor-talk] Tor and iptables.

Jason Long Wed, 14 Dec 2016 13:31:31 -0800

My iptables rules are :
*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -j 
ACCEPT -m state --state RELATED,ESTABLISHED-A INPUT -i lo -j ACCEPT#-A INPUT -d 
127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable-A INPUT -m 
state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --dport 80 -j 
ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT-A INPUT -p tcp -m tcp 
--dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 
255.255.255.255 --rsource-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW 
-m recent --update --seconds 180 --hitcount 4 --name DEFAULT --mask 
255.255.255.255 --rsource -j DROP-A INPUT -p tcp -m state --state NEW -m tcp 
--dport 22 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -m 
limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7-A 
INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 
--rsource -j DROP-A INPUT -m recent --remove --name portscan --mask 
255.255.255.255 --rsource-A INPUT -p tcp -m tcp --dport 139 -m recent --set 
--name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix 
"portscan:"-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan 
--mask 255.255.255.255 --rsource -j DROP-A INPUT -j REJECT --reject-with 
icmp-port-unreachable-A INPUT -i lo -j ACCEPT-A INPUT -m state --state 
RELATED,ESTABLISHED -j ACCEPT-A INPUT -s 10.0.0.0/8 -j DROP-A INPUT -s 
169.254.0.0/16 -j DROP-A INPUT -s 172.16.0.0/12 -j DROP-A INPUT -s 127.0.0.0/8 
-j DROP-A INPUT -s 192.168.0.0/24 -j DROP-A INPUT -s 224.0.0.0/4 -j DROP-A 
INPUT -d 224.0.0.0/4 -j DROP-A INPUT -s 240.0.0.0/5 -j DROP-A INPUT -d 
240.0.0.0/5 -j DROP-A INPUT -s 0.0.0.0/8 -j DROP-A INPUT -d 0.0.0.0/8 -j DROP-A 
INPUT -d 239.255.255.0/24 -j DROP-A INPUT -d 255.255.255.255/32 -j DROP-A INPUT 
-p icmp -m icmp --icmp-type 17 -j DROP-A INPUT -p icmp -m icmp --icmp-type 13 
-j DROP-A INPUT -p icmp -m icmp --icmp-type 13 -m limit --limit 1/sec -j 
ACCEPT-A INPUT -m state --state INVALID -j DROP-A INPUT -p tcp -m tcp 
--tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT-A INPUT -m 
recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 
--rsource -j DROP-A INPUT -m recent --remove --name portscan --mask 
255.255.255.255 --rsource-A INPUT -p tcp -m tcp --dport 139 -m recent --set 
--name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix 
"portscan:"-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan 
--mask 255.255.255.255 --rsource -j DROP-A INPUT -p tcp -m tcp --dport 80 -j 
ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT-A INPUT -p tcp -m tcp 
--dport 22 -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -j 
REJECT --reject-with icmp-port-unreachable-A FORWARD -j REJECT --reject-with 
icmp-port-unreachable-A FORWARD -m recent --rcheck --seconds 86400 --name 
portscan --mask 255.255.255.255 --rsource -j DROP-A FORWARD -m recent --remove 
--name portscan --mask 255.255.255.255 --rsource-A FORWARD -p tcp -m tcp 
--dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j 
LOG --log-prefix "portscan:"-A FORWARD -p tcp -m tcp --dport 139 -m recent 
--set --name portscan --mask 255.255.255.255 --rsource -j DROP-A FORWARD -m 
state --state INVALID -j DROP-A FORWARD -m recent --rcheck --seconds 86400 
--name portscan --mask 255.255.255.255 --rsource -j DROP-A FORWARD -m recent 
--remove --name portscan --mask 255.255.255.255 --rsource-A FORWARD -p tcp -m 
tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 
--rsource -j LOG --log-prefix "portscan:"-A FORWARD -p tcp -m tcp --dport 139 
-m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP-A 
FORWARD -j REJECT --reject-with icmp-port-unreachable-A OUTPUT -j ACCEPT-A 
OUTPUT -m state --state INVALID -j DROP-A OUTPUT -o lo -j ACCEPT-A OUTPUT -m 
state --state RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -p tcp -m tcp --dport 80 
-j ACCEPT-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT-A OUTPUT -p tcp -m tcp 
--dport 22 -j ACCEPT-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A OUTPUT 
-j REJECT --reject-with icmp-port-unreachable-A OUTPUT -j ACCEPT -m state 
--state RELATED,ESTABLISHEDCOMMIT
What is my problem? Why I can't use "obfs4" ?


    On Sunday, December 11, 2016 10:33 PM, Mirimir <miri...@riseup.net> wrote:
 

 On 12/10/2016 07:16 AM, Jason Long wrote:
> Hello.
> I like to close all INPUT connections via iptables but I like to use 
> TorBrowser, Then Which port(s) must be open?
> 
> -A OUTPUT -p tcp -m tcp --dport 9151 -j ACCEPT
> 
> 
> Is it enough? How about "INPUT"? Must I open any input port too?
> 
> Thank you.

You only need to allow input and output for the tor process. And input
for SSH, if you need that. Plus related/established, of course.

In Debian, run "id -u debian-tor". Then use that number (typically 108)
in an output rule. Tor input is allowed by related/established.

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP

-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m owner --uid-owner 108 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j DROP

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


   
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and iptables.

Reply via email to