1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
#!/bin/bash
#
# Based on https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
# See also:
#
# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
#- https://askubuntu.com/questions/324685/how-to-route-all-internet-traffic-through-tor-the-onion-router
#- https://tor.stackexchange.com/questions/12343/use-iptables-to-force-traffic-through-tor
#- https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/
#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf
#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/tor/torrc
#- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver
#- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor
# Parameters
IPTABLES=/sbin/iptables
TOR_UID=`id -u debian-tor`
NETWORK_USER_ID=1000
# Clear existing rules
$IPTABLES -F INPUT || exit
$IPTABLES -F OUTPUT || exit
$IPTABLES -t nat -F || exit
# Transproxy rules for Tor
$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 || exit
$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5353 || exit
# Allow Tor, _apt, root and the network user
$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit
$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT || exit
$IPTABLES -A OUTPUT -m owner --uid-owner root -j ACCEPT || exit
$IPTABLES -A OUTPUT -m owner --uid-owner _apt -j ACCEPT || exit
$IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit
$IPTABLES -A OUTPUT -j DROP || exit
# Allow SSH
$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT || exit
# Create INPUT firewall. Allow established connections and transproxy
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit
$IPTABLES -A INPUT -i lo -j ACCEPT || exit # Transproxy output comes from lo
$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit
$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit
$IPTABLES -A INPUT -j DROP || exit
# Avoid packet leaks
# https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP || exit
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid || exit
iptables -A OUTPUT -m state --state INVALID -j DROP || exit
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP || exit
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP || exit
|
