Maybe this will work for you. FYI, I changed your iptables rules some and recalled the rest from memory, so it's iffy. ------------------------------------------------------------------------------------------------------------------------ #allow connections to privoxy iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify -j ACCEPT #allow connections to Tor iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT #allow any existing or related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow Tor to access hidden service, virtual machine iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT
#re-route all outbound traffic from user "torify" to localhost # MAKE SURE YOUR TransPort and DNSPort MATCH WHAT TO IS USING #Tor's TransPort, to handle all traffic transparently iptables -t nat -A OUTPUT -m owner --uid-owner torify -j REDIRECT --to 9095 #Tor's DNSPort, to handle DNS lookups iptables -t nat -A OUTPUT -m owner --uid-owner torify --dport 53 -p udp -j REDIRECT --to 9035 #drop all traffic to localhost from localhost iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT #disallow all external incoming connections iptables -A INPUT -p tcp -j DROP iptables -A INPUT -p udp -j DROP iptables -A INPUT -p icmp -j DROP ------------------------------------------------------------------------------------------------------------------------ Hope that helps/works. - Kyle On Thu, Aug 20, 2009 at 4:55 AM, Ringo <2600den...@gmail.com> wrote: > I've run into a problem. My model is that a user "torify" has all > traffic forwarded to localhost. From there, it should all be dropped > except connections to privoxy (port 8118). It all works up until the > last iptables command. I assume this is blocking all incoming traffic, > including traffic I've initiated, but I could be interpreting it wrong. > I can't connect to any websites, but I can send requests out. Is there > anything obvious I'm missing or a something I should add? > > #allow connections to privoxy > iptables -A OUTPUT -o lo -p tcp --dport 8118 -m owner --uid-owner torify > -j ACCEPT > #allow connections to Tor > iptables -A OUTPUT -o lo -p tcp --dport 9050 -j ACCEPT > #re-route all outbound traffic to localhost > iptables -t nat -A OUTPUT -m owner --uid-owner torify -j DNAT > --to-destination 127.0.0.1 > #drop all traffic to localhost from localhost > iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner torify -j REJECT > #allow Tor to access hidden service, virtual machine > iptables -A OUTPUT -o lo -p tcp --dport 8888 -j ACCEPT > #disallow all external incoming connections > sudo iptables -A INPUT -p TCP -j DROP > > Thanks for any help you all can offer. I know this stuff may seem basic > to a lot of people but it's complicated for me and I'm trying to help > hidden service operators here who know even less than I. > > Ringo > > Kyle Williams wrote: > > I believe if you just remove --dport, then everything (all ports) are > > assumed. > > > > On Wed, Aug 19, 2009 at 1:01 PM, Ringo <2600den...@gmail.com> wrote: > > > >> "I prevent all users other than root from connecting to the Tor Control > >> port with an > >>> iptables rule which looks like this: > >>> > >>> iptables -A OUTPUT -o lo -p tcp --dport 9051 -m owner ! --uid-owner > >> root -j REJECT" > >> > >> Thanks! That should work perfectly. Is there any way to make dport a > >> wildcard? > >> > >> Ringo > >> > > >