On 12/12/2016 03:35 AM, Jason Long wrote: > can anyone edit my rules and tell me what is my problem?
You asked "What is my problem? Why I can't use "obfs4" ?" The problem, I think, is that you reject everything ... -A OUTPUT -j REJECT --reject-with icmp-port-unreachable ... before allowing Tor traffic. So Tor can't connect. Unless you run Tor as a specific user, there's no elegant way to restrict output. You could have a rule allowing output to directory servers and your bridges. Beyond authorities, I'm not sure how many directory servers you'd need. Maybe some kind person can provide a minimal list of directory server IPs. Also, there's no need to allow any input, except loopback and related/established. Because Tor is handling everything. So with Tor running as user, just use this: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP -A FORWARD -j DROP COMMIT If you want to add output rules for Tor servers, and block all other output (which is good to prevent leaks): *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d w.x.y.z -j ACCEPT #repeat for all needed servers -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -j DROP COMMIT And if you run Tor with a special user with uid foo: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #optional to SSH in -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m owner --uid-owner foo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -j DROP COMMIT > On Monday, December 12, 2016 1:23 AM, Jonathan Marquardt > <m...@parckwart.de> wrote: > > > On Mon, Dec 12, 2016 at 01:52:22AM -0700, Mirimir wrote: >> Sorry about missing the typo in my initial reply. It _was_ an invalid >> rule. But accepting lo is necessary with default deny, right? > > Yes, sorry, you're right. My bad. > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
