*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Redirect any tcp that is not:
# - tor client itself
# - localhost traffic
# - redsocks traffic to tor socks
-A OUTPUT -m owner --uid-owner debian-tor -j RETURN
-A OUTPUT -d 127.0.0.0/8 -j RETURN
-A OUTPUT -m owner --uid-owner redsocks -p tcp -m tcp --dport 9040 -j RETURN
-A OUTPUT ! -p tcp -j RETURN

# redirect
-A OUTPUT -p tcp -j MARK --set-mark 0x888
-A OUTPUT -p tcp -j REDIRECT --to-port 9040

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A FORWARD -j DROP

-A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127
-A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127

-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777
-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777
-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777

# tor can go out
-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777

# ntp can go out, required for tor
-A OUTPUT -m mark --mark 0x0 -p udp -m udp --sport 123 --dport 123 -j MARK --set-mark 0x777

# any other udp will be dropped
-A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666

# any other tcp will be redsock'ed
-A OUTPUT -m mark --mark 0x0 -p tcp -j MARK --set-mark 0x888

#-A OUTPUT -m mark --mark 0x666 -j LOG --log-prefix "0x666:  "
-A OUTPUT -m mark --mark 0x666 -j DROP

#-A OUTPUT -m mark --mark 0x777 -j LOG --log-prefix "0x777:  "
-A OUTPUT -m mark --mark 0x777 -j ACCEPT

#-A OUTPUT -m mark --mark 0x888 -j LOG --log-prefix "0x888:  "
-A OUTPUT -m mark --mark 0x888 -j ACCEPT

#-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127:  "
-A OUTPUT -m mark --mark 0x127 -j ACCEPT

#-A OUTPUT -j LOG --log-prefix "DROP:   "
-A OUTPUT -j DROP

COMMIT