unknown wrote: > > INET_IFACE=eth0 #our internet interface > > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9050 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9040 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 53 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport 53 -j DROP > # Block incoming traffic for this ports from outside. > # Tor already ignore non-local connections by default. > #### > > $IPTABLES -t nat -A OUTPUT -o lo -j RETURN > $IPTABLES -t nat -A OUTPUT -d 127.0.0.1 -j RETURN > # Pass direct connection to localhost services. > # We can trying use privoxy at first before redirecticting unfiltered traffic > to Tor. > #### > > TOR_UID=debian-tor > #see tor uid in file: > #tor:x:XXX:YYY::/var/lib/tor) > > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN > $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user -m tcp > --syn \ > -j REDIRECT --to-ports 9040 > $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user -m udp > --dport 53 \ > -j REDIRECT --to-ports 53 > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT > # Transparent redirection of the traffic to Tor for tornet_user > #### > > # $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DROP > # This rule will not working anymore in new iptables. > #### > > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DNAT \ > --to-destination 127.0.0.1 > # Use DNAT instead of nat > # Any traffic from tornet user if not redirected to tor, redirected to > localhost. > # If no services in localhost can accept this traffic than this packets dying > quietly in our localhost. > > I test this rules with sniffer and cannot see any DNS leakage and everithing > is works fine. > Any possible vulnerabilities here?
Rather than to just DNATing all un-REDIRECTed traffic of tornet_user to local host, I wonder whether it would be safer to direct udp & tcp traffic to a particular port where you explicitly DROP (or REJECT) it. Something along the lines of: DROPDEAD=12345 $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user \ -j REDIRECT --to-port $DROPDEAD $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user \ -j REDIRECT --to-port $DROPDEAD $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user \ -j REDIRECT $IPTABLES -A INPUT -p tcp --dport $DROPDEAD -j DROP $IPTABLES -A INPUT -p udp --dport $DROPDEAD -j DROP (BTW, DNATing to localhost for a locally generated packet is the same as REDIRECT.) Also, it looks to me like the following rule is not needed, as any packets that would match have already been RETURNed. $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT