public
/
torvm
Volgen 1
Ster 0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
How to make the perfect TOR VM in VirtualBox
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12 Commits
1 Branch
Tree: 36f36036cc
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '36f36036cc'
${ noResults }
torvm/static/etc/iptables/rules.v4

rules.v4 2.6KB
Ruw Blame Geschiedenis

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778 
  1. *nat

  2. :PREROUTING ACCEPT [0:0]

  3. :POSTROUTING ACCEPT [0:0]

  4. :OUTPUT ACCEPT [0:0]

  5. 

  6. # Redirect any tcp that is not:

  7. # - tor client itself

  8. # - localhost traffic

  9. # - redsocks traffic to tor socks

  10. -A OUTPUT -m owner --uid-owner debian-tor -j RETURN

  11. -A OUTPUT -d 127.0.0.0/8 -j RETURN

  12. -A OUTPUT -m owner --uid-owner redsocks -p tcp -m tcp --dport 9040 -j RETURN

  13. -A OUTPUT ! -p tcp -j RETURN

  14. 

  15. # redirect

  16. -A OUTPUT -p tcp -j MARK --set-mark 0x888

  17. -A OUTPUT -p tcp -j REDIRECT --to-port 9040

  18. 

  19. COMMIT

  20. 

  21. *filter

  22. :INPUT ACCEPT [0:0]

  23. :FORWARD ACCEPT [0:0]

  24. :OUTPUT ACCEPT [0:0]

  25. 

  26. # allow inbound established or related traffic

  27. -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

  28. -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

  29. 

  30. # allow any traffic on loopback

  31. -A INPUT -i lo -j ACCEPT

  32. 

  33. # log and drop anything else

  34. -A INPUT -j LOG --log-prefix "INPUT-DROP: "

  35. -A INPUT -j DROP

  36. 

  37. -A FORWARD -j DROP

  38. 

  39. # mark 0x127 - permitted local traffic

  40. # mark 0x666 - denied traffic

  41. # mark 0x777 - permitted traffic outside TOR (TOR itself)

  42. # mark 0x888 - permitted TCP traffic inside TOR (over redsocks)

  43. 

  44. # mark 0x127 traffic to lo or localhost ip range

  45. -A OUTPUT -m mark --mark 0x0 -o lo -j MARK --set-mark 0x127

  46. -A OUTPUT -m mark --mark 0x0 -d 127.0.0.0/8 -j MARK --set-mark 0x127

  47. 

  48. # mark DHCP

  49. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 255.255.255.255 -j MARK --set-mark 0x777

  50. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 10.0.0.0/8 -j MARK --set-mark 0x777

  51. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 192.168.0.0/16 -j MARK --set-mark 0x777

  52. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner root -p udp -m udp --sport 68 --dport 67 -d 172.16.0.0/12 -j MARK --set-mark 0x777

  53. 

  54. # mark tor client traffic

  55. -A OUTPUT -m mark --mark 0x0 -m owner --uid-owner debian-tor -j MARK --set-mark 0x777

  56. 

  57. # any other udp will be dropped

  58. -A OUTPUT -m mark --mark 0x0 -p udp -j MARK --set-mark 0x666

  59. 

  60. # any other tcp will be redsock'ed

  61. -A OUTPUT -m mark --mark 0x0 -p tcp -j MARK --set-mark 0x888

  62. 

  63. #-A OUTPUT -m mark --mark 0x666 -j LOG --log-prefix "0x666:  "

  64. -A OUTPUT -m mark --mark 0x666 -j DROP

  65. 

  66. #-A OUTPUT -m mark --mark 0x777 -j LOG --log-prefix "0x777:  "

  67. -A OUTPUT -m mark --mark 0x777 -j ACCEPT

  68. 

  69. #-A OUTPUT -m mark --mark 0x888 -j LOG --log-prefix "0x888:  "

  70. -A OUTPUT -m mark --mark 0x888 -j ACCEPT

  71. 

  72. #-A OUTPUT -m mark --mark 0x127 -j LOG --log-prefix "0x127:  "

  73. -A OUTPUT -m mark --mark 0x127 -j ACCEPT

  74. 

  75. -A OUTPUT -j LOG --log-prefix "OUTPUT-DROP: "

  76. -A OUTPUT -j DROP

  77. 

  78. COMMIT