Thanks! It's incredibly helpful to see how more experienced users have Tor set up. Sorry again for the poor formatting in my post, no idea what's up with that.
From: r...@posteo.net To: tor-talk@lists.torproject.org Date: Sat, 17 May 2014 17:55:36 +0200 Subject: Re: [tor-talk] Isolating Proxy and iptables. On Saturday 17 May 2014 16:59:23 Clare ♬ wrote: > I'm setting up a Tor-based isolating proxy using the 'Anonymizing > Middlebox' iptables rules specified here: > https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy i.e. > iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT > --to-ports 53iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j > REDIRECT --to-ports 9040 ...and the INPUT, OUTPUT and FORWARD chains are > left at the default. Would there be any merit to also including the > following rules? iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P > OUTPUT DROP iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state > --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j > ACCEPTiptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Or > are they rendered unnecessary by my current setup? > Are there any other firewall rules that I should consider in order to > improve security and ensure that all traffic is torified? Many thanks. https://bitbucket.org/ra_/tor- gateway/src/367fedb41377570b6b414940a8788bd692931cd4/overlay/etc/iptables.conf?at=master might help you. It has been suggest recently, to additionally block rules: iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP HTH, Robert -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
