TorForum.org

Unofficial forum about Tor Project
  1. Home
  2. Userspace Software
  3. How to block all traffic exept Tor

How to block all traffic exept Tor

TOR Hacker
8 days ago

On a Linux system, there is an easy way to block all inbound and outbound traffic unless it passes through the Tor network.

A few simple iptables commands can do this (note that if you are using SSH this will block you immediately!) 



# iptables -P INPUT DROP

# iptables -P OUTPUT DROP

# iptables -P FORWARD DROP



# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -I INPUT 2 -i lo -j ACCEPT



# iptables -I OUTPUT 1 -m owner --uid-owner toranon -j ACCEPT

# iptables -A OUTPUT -j ACCEPT -o lo

# iptables -A OUTPUT -j ACCEPT -p udp --dport 123


Where toranon is username under which tor is run. In Debian there is "debian-tor" instead, on Gentoo it just "tor", Cent-OS uses "toranon", Ubuntu - just "tor".


So by adding these rules you will have all your traffic blocked, unless it comes from uid of 'tor'.
rs3gold
last year

Therefore in support of in that case do you have many of the instruction you might possibly really want to get
ofrester
last year

Do you mean replace "toranon" with your tor name? If so, how to get the tor name that is running in my system, as there are a lot of different Linux contributions
NSA
last year

iptables -A OUTPUT -j ACCEPT -p udp --dport 123


Note that this will allow network time protocol connections. An adversary could intercept the connection between your computer and the NTP server and give you the wrong time. That could be used to de-anonymize you. Another attack possibility is when your machine gets infected with malware, e.g. by JavaScript exploits of the web browser. Then the attacker could send clearnet traffic to a destination port 123 anywhere on the internet without gaining root access. Then your real IP adress will be known to the destination server.

To prevent this you could close the port and use tlsdate, or whatever Whonix or Tails uses.

https://www.whonix.org/wiki/Dev/TimeSync#Attacks
http://manpages.ubuntu.com/manpages/rar ... ate.1.html
NSA
last year

Do you mean replace "toranon" with your tor name? If so, how to get the tor name that is running in my system, as there are a lot of different Linux contributions
"ofrester"

Often you can find the username it with


cat /etc/passwd | grep tor

or while Tor is running


sudo ps aux | grep tor
ofrester
last year

I'm using TBB in Ubuntu 12.04, typing

iptables -I OUTPUT 1 -m owner --uid-owner tor -j ACCEPT

in terminal returns error message, should I?
NSA
last year

@ofrester
Replace tor with debian-tor
ofrester
last year 

root@ubuntu:~# iptables -P INPUT DROP

root@ubuntu:~# iptables -P OUTPUT DROP

root@ubuntu:~# iptables -P FORWARD DROP

root@ubuntu:~# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPTroot@ubuntu:~# # iptables -I INPUT 2 -i lo -j ACCEPT

root@ubuntu:~# iptables -I OUTPUT 1 -m owner --uid-owner debian-tor -j ACCEPT

iptables v1.4.12: owner: Bad value for "--uid-owner" option: "debian-tor"

Try `iptables -h' or 'iptables --help' for more information.

root@ubuntu:~# iptables -A OUTPUT -j ACCEPT -o lo

root@ubuntu:~# iptables -A OUTPUT -j ACCEPT -p udp --dport 123
NSA
last year

Which version of Ubuntu is that? What do you get when you type this:
ps aux | grep /usr/bin/tor
ofrester
last year

12.04

ofrester@ubuntu:~$ ps aux | grep tor
...
...
ofrester ... 0.0 0.0 ... ... ? S 11:08 0:00 /bin/sh /home/ofrester/tor-browser_en-US/start-tor-browser
ofrester ... ... ... ... ... ? S 11:08 0:03 /home/ofrester/tor-browser_en-US/App/./tor -f /home/ofrester/tor-browser_en-US/App/../Data/Tor/torrc DataDirectory /home/ofrester/tor-browser_en-US/Data/Tor ControlPort 9151 __OwningControllerProcess ... HashedControlPassword 16:0B8B840419FD098C06A1FFE5E7CA2B3D634AA7 581D4044C3738B964741
ofrester ... ... ... ... ... ? Sl 11:09 ... /home/ofrester/tor-browser_en-US/App/Firefox/firefox -no-remote -profile /home/ofrester/tor-browser_en-US/Data/profile
ofrester ... ... ... ... ... pts/1 R+ 11:10 0:00 grep --color=auto tor
NSA
last year

When you use Vidalia to start Tor then there is no easy way to do this. You would have to allow every entry node/bridge seperately to block everything but Tor.
You may want to install the Tor package instead:

https://www.torproject.org/docs/debian#development

Also install Privoxy:
apt-get install privoxy


And add this line to /etc/privoxy/config
forward-socks5 / 127.0.0.1:9050 .


Then modiify the start-tor-browser script to only start the Tor Browser, but not Vidalia:
viewtopic.php?f=2&t=18324#p18935 (see step 7.2.1.2.)

Start Tor Browser and make it use Privoxy:
HTTP Proxy: 127.0.0.1
Port: 8118
[x] Use this proxy for all protocols

When that is done you can put the user "debian-tor" in the firewall script.

You may also want to install ARM, so you can get a new identity like with Vidalia:
apt-get install tor-arm


Enter "arm" in a terminal to start it, press "n" to get a new identity or "m" for a menu.
ofrester
last year

My censored network block me from downloading anything from the repo, where can I download Tor and obfsproxy package?
NSA
last year

Add this line to /etc/apt/apt.conf.d/00aptitude
Acquire::socks::Proxy "socks://127.0.0.1:9050";


Then apt-get will use Tor for downloading.
ofrester
last year

The apt-get still connected directly to the internet when I follow you advice to update, also I tried to change the port number from 9050 to 9150, and then relogin, still didn't work.
NSA
last year

Ah right. It tries to get the hostname of the repository server through the internet. If DNS resolving is blocked by your provider then that won't work.
Can you connect to this website? http://packages.ubuntu.com/

Btw you were talking about obfsproxy. Do you use the Pluggable Transports version of Tor? That would make everything a little more complicated, as there is no easy way of getting bridges to add them to the Tor config file.
ofrester
last year

I can't connect to Tor network without using bridges, best using obfs bridges. If there is no easy way of adding bridges, I think adding the bridges would be out of my ability. Now after inputting the lines in your topic, my tor browser 17.08 which configure to go through Tor network has been unavailable, how to recover?
NSA
last year

You can easily add normal Tor bridges to the Tor config file, because it's easy to get a list. But it's not easy to get a list of obfs bridges, because there is no public list.
Which lines do you mean? The ones which TOR Hacker posted? Just replace the username "toranon" with username "ofrester". Note that this will not block all traffic except Tor. It will block all traffic except the traffic from the user account ofrester.

To block all traffic except Tor while still using the pluggable transports TBB you could add a new user account to Ubuntu.
sudo adduser tor-user

Move TBB to the new users home 
sudo mv /home/ofrester/tor-browser_en-US /home/tor-user

sudo chown -R tor-user:tor-user /home/tor-user/tor-browser_en-US

Replace the username toranon with tor-user. 
iptables -I OUTPUT 1 -m owner --uid-owner tor-user -j ACCEPT

Then you can start Tor from the ofrester account with


xhost +

cd /home/tor-user/tor-browser_en-US

sudo -u tor-user ./start-tor-browser


Never log in as user tor-user however. Always log in as ofrester.
NSA
last year

Ah you mean you changed the HTTP proxy settings in Tor Browser and now it won't connect? Just remove the proxy settings again.
ofrester
last year

Ah you mean you changed the HTTP proxy settings in Tor Browser and now it won't connect? Just remove the proxy settings again.
"NSA"

No, added socks proxy to /etc/apt/apt.conf.d/00aptitude
ofrester
last year

~> xhost +
access control disabled, clients can connect from any host
ofrester
last year

"Which lines do you mean? The ones which TOR Hacker posted?"

Yes, I miss

Reply

You are not logged in. Login or register to reply on this thread.