On Sun, Dec 11, 2016 at 11:33:23PM -0700, Mirimir wrote: > On 12/10/2016 07:16 AM, Jason Long wrote: > > Hello. > > I like to close all INPUT connections via iptables but I like to use > > TorBrowser, Then Which port(s) must be open? > > > > -A OUTPUT -p tcp -m tcp --dport 9151 -j ACCEPT > > > > > > Is it enough? How about "INPUT"? Must I open any input port too? > > > > Thank you. > > You only need to allow input and output for the tor process. And input > for SSH, if you need that. Plus related/established, of course. > > In Debian, run "id -u debian-tor". Then use that number (typically 108) > in an output rule. Tor input is allowed by related/established. > > -A INPUT -i lo -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -j DROP > > -A OUTPUT -i lo -j ACCEPT > -A OUTPUT -m owner --uid-owner 108 -j ACCEPT > -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -j DROP > > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
OP is running Tor Browser, not the typical Debian Tor setup. So "id -u debian-tor" won't work. I assume that he's running Tor Browser as his normal user. Also: "-A OUTPUT -i lo -j ACCEPT" is neither a valid rule, nor is it necessary, since loopback traffic is already allowed at input and stateful inspection is enabled both ways. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk