# pls verify tor iptables script

## Treborius

hi guys, i am a bit worried about errors in this iptables script 

( its an adaption, taken from here https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy )

can someone with more knowledge pls take a look, and point finger at obvious errors?

what it is for :

i want no single paket to escape this box without beeing routed through tor, 

all traffic should go through the transparent proxy, tor ships

except 

- the external access via sshd on port 8888 (ssh from within is not needed)

- access to my home networks 192.168.178.0/24 and 192.168.115.0/24

```

#!/bin/sh

# allow all established

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

_ssh_port="8888"

# allow ssh new

iptables -I OUTPUT -m state -p tcp --dport $_ssh_port --state NEW -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport $_ssh_port -j RETURN

#destinations you don't want routed through Tor

_non_tor="192.168.178.0/24 192.168.115.0/24"

#the UID that Tor runs as

_tor_uid="101"

#Tor's transparent proxy port

_trans_port="9090"

#Tor's dns server port

_dns_port="9053"

### set iptables tor-nat

iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN

iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $_dns_port

#allow clearnet access for hosts in $_non_tor

for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do

   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN

done

#redirect all other output to Tor's TransPort

iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port

#allow clearnet access for hosts in $_non_tor

for _clearnet in $_non_tor 127.0.0.0/8; do

   iptables -A OUTPUT -d $_clearnet -j ACCEPT

done

#allow only Tor output

iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT

# reject everything else

iptables -A OUTPUT -j REJECT

```

is there anything / any tools i can use for testing? 

the script is working so far, i can access the internet via tor.

I am only worried, that some evil apps may bypass the transparent proxy.

Thanks for your help,

Treb

----------

## Hu

Your first problem is that this is a shell script with no error checking.  If any step fails, others will still execute, which could leave you with a partially configured system.

Your NEW OUTPUT rule should be unnecessary, since the sshd will be responding to an ESTABLISHED connection.

Your kernel might not have support for REJECT, in which case loading the deny rule would not work.  I prefer to use the policy for a catch-all instead of adding a final rule as the catch-all.

Why do you have special entries for 127.0.0.0/9 127.128.0.0/10?

You can use tcpdump to monitor your normal interface to check whether traffic is being sent through non-Tor applications.

----------

## Treborius

 *Hu wrote:*   

> Your first problem is that this is a shell script with no error checking.  If any step fails, others will still execute, which could leave you with a partially configured system.
> 
> 

 

i only run this script once, and then use /etc/init.d/iptables save

 *Hu wrote:*   

> 
> 
> Your NEW OUTPUT rule should be unnecessary, since the sshd will be responding to an ESTABLISHED connection.
> 
> 

 

your absolutely right, i removed the line 

 *Hu wrote:*   

> 
> 
> Why do you have special entries for 127.0.0.0/9 127.128.0.0/10?
> 
> 

 

mindless copy-paste, without them, dns resolution over tors build-in dns server does not work

 *Hu wrote:*   

> 
> 
> You can use tcpdump to monitor your normal interface to check whether traffic is being sent through non-Tor applications.
> 
> 

 

I tried that, but tcpdump does not display the PID of the packets ( i think the information is lost at the point tcpdump captures its data )

and as tor is opening connections from various ports to various computers on various ports, the output was not helpful at all

( it seems ok at the first look )

thanks for your advice

----------

## Syl20

Be sure the tables are emptied at the beginning of your rules set. I'm not sure it's done by iptables-save (I don't use it, I use my own iptables init script), and you may have unexpected behaviours, if you launch your script, or restart the iptables service, several times in a row.

```
#!/bin/sh

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

(your stuff here)
```

 *Quote:*   

> I tried that, but tcpdump does not display the PID of the packets ( i think the information is lost at the point tcpdump captures its data )
> 
> and as tor is opening connections from various ports to various computers on various ports, the output was not helpful at all
> 
> ( it seems ok at the first look )

 

You can try to mix "tcpdump" output with "netstat -anlp" one.

You can also (and I think you should) add LOG rules to determine which filter rules are applied to which packets. Be careful, that could be _very_ verbose.

----------

