No, my home router is only accessible from the LAN. So, if you are sure Tor really block the local address space, then i shouldn't need to use iptables. But i want to be sure first. I couldn't find anything about this in the online manual.
On Mon, Jul 4, 2011 at 11:31 PM, Justin Aplin <[email protected]> wrote: > On Jul 4, 2011, at 9:19 PM, Tomas Sironi wrote: > > Hi people. I'm new with Tor and i'm very interested in this project. > > I'm now being a relay, only acting as middleman (no exits). I would like to > contribute more by having some services as exit. > However i'm concerned about security. The machine i'm running as a relay is > a pc in my home. From it, i have access to my router's web interface. The > problem if i act as a exit for the port 80, would be that anyone can log > into (or try to) my home router just by pointing to its ip address. Am i > right? > > > If the router interface is publicly accessible from the (outside) internet, > then yes. If it's only available on the LAN, then no. By default tor blocks > access to local address space, and I believe this is only not the case if it > is set up as an exit enclave. For example, both of my routers have the > following restrictions, even though I did not specify them in my torrc: > > reject 0.0.0.0/8:* > reject 169.254.0.0/16:* > reject 127.0.0.0/8:* > reject 192.168.0.0/16:* > reject 10.0.0.0/8:* > reject 172.16.0.0/12:* > reject 97.102.75.60:* > > I've thought about using iptables to block outgoing connection from the > relay to my router using > > iptables -A OUTPUT -d 192.168.15.1 -j DROP > > Not sure that's the correct line to do that. It blocks ping requests but i > still can access the web interface of my router from that pc. Can anyone > help me here? > > > I believe what you want is the following: > > # /sbin/iptables -A OUTPUT -p tcp -d 192.168.15.1 --dport 80 -j DROP > # /sbin/service iptables save > > Thanks for running an exit! > > ~Justin Aplin > > > _______________________________________________ > tor-relays mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > -- Tomas Sironi
_______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
