I've run into a problem. My model is that a user "torify" has all traffic forwarded to localhost. From there, it should all be dropped except connections to privoxy (port 8118). It all works up until the last iptables command. I assume this is blocking all incoming traffic, including traffic I've initiated, but I could be interpreting it wrong. I can't connect to any websites, but I can send requests out. Is there anything obvious I'm missing or a something I should add?
#allow connections to privoxy iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify -j ACCEPT #allow connections to Tor iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT #re-route all outbound traffic to localhost iptables -t nat -A OUTPUT -m owner --uid-owner torify -j DNAT --to-destination 127.0.0.1 #drop all traffic to localhost from localhost iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT #allow Tor to access hidden service, virtual machine iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT #disallow all external incoming connections sudo iptables -A INPUT -p TCP -j DROP Thanks for any help you all can offer. I know this stuff may seem basic to a lot of people but it's complicated for me and I'm trying to help hidden service operators here who know even less than I. Ringo Kyle Williams wrote: > I believe if you just remove --dport, then everything (all ports) are > assumed. > > On Wed, Aug 19, 2009 at 1:01 PM, Ringo <2600den...@gmail.com> wrote: > >> "I prevent all users other than root from connecting to the Tor Control >> port with an >>> iptables rule which looks like this: >>> >>> iptables -A OUTPUT -o lo -p tcp --dport 9051 -m owner ! --uid-owner >> root -j REJECT" >> >> Thanks! That should work perfectly. Is there any way to make dport a >> wildcard? >> >> Ringo >> >