*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Redirect any tcp that is not:
# - tor client itself
# - localhost traffic
# - redsocks traffic to tor socks
-A OUTPUT -m owner --uid-owner debian-tor -j RETURN
-A OUTPUT -d 127.0.0.0/8 -j RETURN
-A OUTPUT -m owner --uid-owner redsocks -p tcp -m tcp --dport 9040 -j RETURN
-A OUTPUT ! -p tcp -j RETURN

# redirect
-A OUTPUT -p tcp -j MARK --set-mark 0x888
-A OUTPUT -p tcp -j REDIRECT --to-port 9040

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# allow inbound established or related traffic
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow any traffic on loopback
-A INPUT -i lo -j ACCEPT

# log and drop anything else
-A INPUT -j LOG --log-prefix "INPUT-DROP: "
-A INPUT -j DROP

-A FORWARD -j DROP

# mark 0x127 - permitted local traffic
# mark 0x666 - denied traffic
# mark 0x777 - permitted traffic outside TOR (TOR itself)
# mark 0x888 - permitted TCP traffic inside TOR (over redsocks)

# mark 0x127 traffic to lo or localhost ip range
-A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127
-A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127

# mark DHCP
-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777
-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777
-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777
-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 172.16.0.0/12 -j MARK --set-mark 0x777

# mark tor client traffic
-A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777

# any other udp will be dropped
-A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666

# any other tcp will be redsock'ed
-A OUTPUT -m mark --mark 0x0 -p tcp -j MARK --set-mark 0x888

#-A OUTPUT -m mark --mark 0x666 -j LOG --log-prefix "0x666:  "
-A OUTPUT -m mark --mark 0x666 -j DROP

#-A OUTPUT -m mark --mark 0x777 -j LOG --log-prefix "0x777:  "
-A OUTPUT -m mark --mark 0x777 -j ACCEPT

#-A OUTPUT -m mark --mark 0x888 -j LOG --log-prefix "0x888:  "
-A OUTPUT -m mark --mark 0x888 -j ACCEPT

#-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127:  "
-A OUTPUT -m mark --mark 0x127 -j ACCEPT

-A OUTPUT -j LOG --log-prefix "OUTPUT-DROP: "
-A OUTPUT -j DROP

COMMIT