How to make the perfect TOR VM in VirtualBox
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

rules.v4 2.1KB

il y a 5 ans
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
  1. *nat
  2. :PREROUTING ACCEPT [0:0]
  3. :POSTROUTING ACCEPT [0:0]
  4. :OUTPUT ACCEPT [0:0]
  5. # Redirect any tcp that is not:
  6. # - tor client itself
  7. # - localhost traffic
  8. # - redsocks traffic to tor socks
  9. -A OUTPUT -m owner --uid-owner debian-tor -j RETURN
  10. -A OUTPUT -d 127.0.0.0/8 -j RETURN
  11. -A OUTPUT -m owner --uid-owner redsocks -p tcp -m tcp --dport 9040 -j RETURN
  12. -A OUTPUT ! -p tcp -j RETURN
  13. # redirect
  14. -A OUTPUT -p tcp -j MARK --set-mark 0x888
  15. -A OUTPUT -p tcp -j REDIRECT --to-port 9040
  16. COMMIT
  17. *filter
  18. :INPUT ACCEPT [0:0]
  19. :FORWARD ACCEPT [0:0]
  20. :OUTPUT ACCEPT [0:0]
  21. -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
  22. -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
  23. -A INPUT -i lo -j ACCEPT
  24. -A FORWARD -j DROP
  25. -A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127
  26. -A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127
  27. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777
  28. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777
  29. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777
  30. # tor can go out
  31. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777
  32. # ntp can go out, required for tor
  33. -A OUTPUT -m mark --mark 0x0 -p udp -m udp --sport 123 --dport 123 -j MARK --set-mark 0x777
  34. # any other udp will be dropped
  35. -A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666
  36. # any other tcp will be redsock'ed
  37. -A OUTPUT -m mark --mark 0x0 -p tcp -j MARK --set-mark 0x888
  38. #-A OUTPUT -m mark --mark 0x666 -j LOG --log-prefix "0x666: "
  39. -A OUTPUT -m mark --mark 0x666 -j DROP
  40. #-A OUTPUT -m mark --mark 0x777 -j LOG --log-prefix "0x777: "
  41. -A OUTPUT -m mark --mark 0x777 -j ACCEPT
  42. #-A OUTPUT -m mark --mark 0x888 -j LOG --log-prefix "0x888: "
  43. -A OUTPUT -m mark --mark 0x888 -j ACCEPT
  44. #-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127: "
  45. -A OUTPUT -m mark --mark 0x127 -j ACCEPT
  46. #-A OUTPUT -j LOG --log-prefix "DROP: "
  47. -A OUTPUT -j DROP
  48. COMMIT