Re: Iptables configuration for a transparent proxy for a single user

unknown Fri, 15 May 2009 14:27:26 -0700

INET_IFACE=eth0 #our internet interface

$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9050 -j DROP         
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9040 -j DROP         
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 53 -j DROP           
$IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport 53 -j DROP
# Block incoming traffic for this ports from outside.
# Tor already ignore non-local connections by default.
####


$IPTABLES -t nat -A OUTPUT -o lo -j RETURN                                      
 
$IPTABLES -t nat -A OUTPUT -d 127.0.0.1 -j RETURN
# Pass direct connection to localhost services.
# We can trying use privoxy at first before redirecticting unfiltered traffic 
to Tor.
####

TOR_UID=debian-tor
#see tor uid in file:
#tor:x:XXX:YYY::/var/lib/tor)

$IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
$IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user -m tcp --syn 
 \
-j REDIRECT --to-ports 9040
$IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user -m udp 
--dport 53  \
-j REDIRECT --to-ports 53
$IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT              
 
# Transparent redirection of the traffic to Tor for tornet_user
####

# $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DROP
# This rule will not working anymore in new iptables.
####

$IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DNAT \
--to-destination 127.0.0.1
# Use DNAT instead of nat
# Any traffic from tornet user if not redirected to tor, redirected to 
localhost.
# If no services in localhost can accept this traffic than this packets dying 
quietly in our localhost.

I test this rules with sniffer and cannot see any DNS leakage and everithing is 
works fine.
Any possible vulnerabilities here?

Re: Iptables configuration for a transparent proxy for a single user

Reply via email to