[tor-talk] Tor and iptables

Hello.My iptables rules are as below: -P INPUT DROP-P FORWARD DROP-P OUTPUT DROP-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -j REJECT --reject-with icmp-port-unreachable-A FORWARD -j REJECT --reject-with

Re: [tor-talk] Tor and iptables.

On 12/12/2016 03:35 AM, Jason Long wrote: > can anyone edit my rules and tell me what is my problem? You asked "What is my problem? Why I can't use "obfs4" ?" The problem, I think, is that you reject everything ... -A OUTPUT -j REJECT --reject-with icmp-port-unreachable ... before allowing

Re: [tor-talk] Tor and iptables.

On 12/12/2016 03:35 AM, Jason Long wrote: > can anyone edit my rules and tell me what is my problem? I'll look through them, later today. If you install iptables-persistent, create an /iptables/test-rules.v4 rules file, and run `iptables-restore < /iptables/test-rules.v4`, the app will tell you

Re: [tor-talk] Tor and iptables.

Did you see my iptables rules? What is my problem? On Sun, 12/11/16, Jonathan Marquardt <m...@parckwart.de> wrote: Subject: Re: [tor-talk] Tor and iptables. To: tor-talk@lists.torproject.org Date: Sunday, December 11, 2016, 7:24 AM On Su

Re: [tor-talk] Tor and iptables.

Did you see my iptables rules? What is my problem? On Sun, 12/11/16, Jonathan Marquardt <m...@parckwart.de> wrote: Subject: Re: [tor-talk] Tor and iptables. To: tor-talk@lists.torproject.org Date: Sunday, December 11, 2016, 7:24 AM On Su

Re: [tor-talk] Tor and iptables.

can anyone edit my rules and tell me what is my problem? On Monday, December 12, 2016 1:23 AM, Jonathan Marquardt wrote: On Mon, Dec 12, 2016 at 01:52:22AM -0700, Mirimir wrote: > Sorry about missing the typo in my initial reply. It _was_ an invalid > rule. But

Re: [tor-talk] Tor and iptables.

My iptables rules are : *filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED-A INPUT -i lo -j ACCEPT#-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable-A INPUT -m state --state RELATED,ESTABLISHED

Re: [tor-talk] Tor and iptables.

On Mon, Dec 12, 2016 at 01:52:22AM -0700, Mirimir wrote: > Sorry about missing the typo in my initial reply. It _was_ an invalid > rule. But accepting lo is necessary with default deny, right? Yes, sorry, you're right. My bad. -- tor-talk mailing list - tor-talk@lists.torproject.org To

Re: [tor-talk] Tor and iptables.

On 12/12/2016 01:14 AM, Jonathan Marquardt wrote: > On Mon, Dec 12, 2016 at 12:12:54AM -0700, Mirimir wrote: >> Oops. Sorry. I'm used to straight Tor and Whonix. So how does one lock >> down Tor using Tor browser? > > Well, given the way OP phrased his question, I just assumed he wanted to >

Re: [tor-talk] Tor and iptables.

On Mon, Dec 12, 2016 at 12:12:54AM -0700, Mirimir wrote: > Oops. Sorry. I'm used to straight Tor and Whonix. So how does one lock > down Tor using Tor browser? Well, given the way OP phrased his question, I just assumed he wanted to prevent any unwanted input to his system, which is why I gave

Re: [tor-talk] Tor and iptables.

On Mon, 12 Dec 2016 00:12:54 -0700 Mirimir wrote: > > Also: "-A OUTPUT -i lo -j ACCEPT" is neither a valid rule, nor is it > > necessary, since loopback traffic is already allowed at input and stateful > > inspection is enabled both ways. > > Not valid? It works for me.

Re: [tor-talk] Tor and iptables.

On Sun, Dec 11, 2016 at 11:33:23PM -0700, Mirimir wrote: > On 12/10/2016 07:16 AM, Jason Long wrote: > > Hello. > > I like to close all INPUT connections via iptables but I like to use > > TorBrowser, Then Which port(s) must be open? > > > > -A OUTPUT -p tcp -m tcp --dport 9151 -j ACCEPT > > >

Re: [tor-talk] Tor and iptables.

On 12/10/2016 07:16 AM, Jason Long wrote: > Hello. > I like to close all INPUT connections via iptables but I like to use > TorBrowser, Then Which port(s) must be open? > > -A OUTPUT -p tcp -m tcp --dport 9151 -j ACCEPT > > > Is it enough? How about "INPUT"? Must I open any input port too? >

Re: [tor-talk] Tor and iptables.

On Sun, Dec 11, 2016 at 12:26:47PM +, Jason Long wrote: > Excuse me, I must allow input to my system? It is so bad :(, I don't like to > allow everyone. This has nothing to do with Tor. It's just the general way how the IP protocol works. Without allowing stateful input, you couldn't do any

Re: [tor-talk] Tor and iptables.

Excuse me, I must allow input to my system? It is so bad :(, I don't like to allow everyone. On Sunday, December 11, 2016 2:44 AM, Jonathan Marquardt wrote: You always need to allow some input as well in order for the Tor guard node to talk to your computer. Stateful

Re: [tor-talk] Tor and iptables.

You always need to allow some input as well in order for the Tor guard node to talk to your computer. Stateful Inspection is used for this. Here's a complete ruleset to accomplish what you asked for. All output is allowed, but no input, except it belongs to some output your computer previously

[tor-talk] Tor and iptables.

Hello. I like to close all INPUT connections via iptables but I like to use TorBrowser, Then Which port(s) must be open? -A OUTPUT -p tcp -m tcp --dport 9151 -j ACCEPT Is it enough? How about "INPUT"? Must I open any input port too? Thank you. -- tor-talk mailing list -

Re: [tor-talk] Tor and iptables.

Tor can't connect and show me below error: 12/09/2016 17:41:40.300 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 12/09/2016 17:41:40.300 [NOTICE] Opening Socks listener on 127.0.0.1:9150 12/09/2016