This may be interesting for you as well: this is, what iptables-save produces on an Amnesia system:
# Generated by iptables-save v1.4.2 on Mon Mar 1 18:22:07 2010 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [133:8080] :OUTPUT ACCEPT [134:8341] -A OUTPUT -d 192.168.0.0/16 -j RETURN -A OUTPUT -d 10.0.0.0/8 -j RETURN -A OUTPUT -d 172.16.0.0/12 -j RETURN -A OUTPUT -d 127.0.0.0/9 -j RETURN -A OUTPUT -d 127.128.0.0/10 -j RETURN -A OUTPUT -m owner --uid-owner debian-tor -j RETURN -A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 123 -j RETURN -A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 123 -j RETURN -A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 53 -j RETURN -A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 53 -j RETURN -A OUTPUT -d 127.192.0.0/10 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040 -A OUTPUT -o ! lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT --to-destination 127.0.0.1:9040 COMMIT # Completed on Mon Mar 1 18:22:07 2010 # Generated by iptables-save v1.4.2 on Mon Mar 1 18:22:07 2010 *filter :INPUT ACCEPT [15615:7102432] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d 192.168.0.0/16 -j ACCEPT -A OUTPUT -d 10.0.0.0/8 -j ACCEPT -A OUTPUT -d 172.16.0.0/12 -j ACCEPT -A OUTPUT -d 127.0.0.0/8 -j ACCEPT -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT -A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 123 -j ACCEPT -A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 123 -j ACCEPT -A OUTPUT -p tcp -m owner --uid-owner ntpdate -m tcp --dport 53 -j ACCEPT -A OUTPUT -p udp -m owner --uid-owner ntpdate -m udp --dport 53 -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Mon Mar 1 18:22:07 2010 They allow ntp connections since Tor really likes an accurate date/time. They also do some .onion related stuff that I dont get (this might be the 172.16.0.0/12?) I dont know much about iptables and Linux in general, but maybe this helps. M.K. Am Montag, den 01.03.2010, 15:04 +0000 schrieb Irratar: > Hello. > > I have created a simple Bash script to prevent any data from bypassing Tor > when Tor is running. I started it to use just for myself, but now I think > it will be better to share it with other users of Tor. > > This script, named Torlock, does the following things when used to start Tor: > - Creates a special user named torlock by default (if you run it first time > or have removed that user after previous Tor session). > - Uses Iptables to block network access for everyone except for torlock. > - Setuids to torlock and starts Tor. Tor will be started in background mode, > and its output redirected to a file. > > When used to stop Tor, it stops Tor, unlocks network access, and (optionally) > removes torlock user. > > More information is in included text file. Even more can be obtained by > reading > the script. It is small, simple, and easy to make sure it's not > backdoored. The script can be downloaded from Sourceforge: > http://sourceforge.net/projects/torlock/files/ > > Inspite of its simplicity, Torlock saved me at least twice when I forgot to > switch Torbutton on. > > With best regards, > Irratar. > *********************************************************************** > To unsubscribe, send an e-mail to [email protected] with > unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
