How to block all traffic exept Tor

On a Linux system, there is an easy way to block all inbound and outbound traffic unless it passes through the Tor network.

A few simple iptables commands can do this (note that if you are using SSH this will block you immediately!)

# iptables -P INPUT DROP

# iptables -P OUTPUT DROP

# iptables -P FORWARD DROP



# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -I INPUT 2 -i lo -j ACCEPT



# iptables -I OUTPUT 1 -m owner --uid-owner toranon -j ACCEPT

# iptables -A OUTPUT -j ACCEPT -o lo

# iptables -A OUTPUT -j ACCEPT -p udp --dport 123

Where toranon is username under which tor is run. In Debian there is "debian-tor" instead, on Gentoo it just "tor", Cent-OS uses "toranon", Ubuntu - just "tor".


So by adding these rules you will have all your traffic blocked, unless it comes from uid of 'tor'.

Therefore in support of in that case do you have many of the instruction you might possibly really want to get

Do you mean replace "toranon" with your tor name? If so, how to get the tor name that is running in my system, as there are a lot of different Linux contributions

iptables -A OUTPUT -j ACCEPT -p udp --dport 123

Note that this will allow network time protocol connections. An adversary could intercept the connection between your computer and the NTP server and give you the wrong time. That could be used to de-anonymize you. Another attack possibility is when your machine gets infected with malware, e.g. by JavaScript exploits of the web browser. Then the attacker could send clearnet traffic to a destination port 123 anywhere on the internet without gaining root access. Then your real IP adress will be known to the destination server.

To prevent this you could close the port and use tlsdate, or whatever Whonix or Tails uses.

https://www.whonix.org/wiki/Dev/TimeSync#Attacks
http://manpages.ubuntu.com/manpages/rar ... ate.1.html

Do you mean replace "toranon" with your tor name? If so, how to get the tor name that is running in my system, as there are a lot of different Linux contributions

"ofrester"

Often you can find the username it with

cat /etc/passwd | grep tor

or while Tor is running

sudo ps aux | grep tor

I'm using TBB in Ubuntu 12.04, typing

iptables -I OUTPUT 1 -m owner --uid-owner tor -j ACCEPT

in terminal returns error message, should I?

@ofrester
Replace tor with debian-tor

root@ubuntu:~# iptables -P INPUT DROP

root@ubuntu:~# iptables -P OUTPUT DROP

root@ubuntu:~# iptables -P FORWARD DROP

root@ubuntu:~# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPTroot@ubuntu:~# # iptables -I INPUT 2 -i lo -j ACCEPT

root@ubuntu:~# iptables -I OUTPUT 1 -m owner --uid-owner debian-tor -j ACCEPT

iptables v1.4.12: owner: Bad value for "--uid-owner" option: "debian-tor"

Try `iptables -h' or 'iptables --help' for more information.

root@ubuntu:~# iptables -A OUTPUT -j ACCEPT -o lo

root@ubuntu:~# iptables -A OUTPUT -j ACCEPT -p udp --dport 123

Which version of Ubuntu is that? What do you get when you type this:

ps aux | grep /usr/bin/tor

12.04

ofrester@ubuntu:~$ ps aux | grep tor
...
...
ofrester ... 0.0 0.0 ... ... ? S 11:08 0:00 /bin/sh /home/ofrester/tor-browser_en-US/start-tor-browser
ofrester ... ... ... ... ... ? S 11:08 0:03 /home/ofrester/tor-browser_en-US/App/./tor -f /home/ofrester/tor-browser_en-US/App/../Data/Tor/torrc DataDirectory /home/ofrester/tor-browser_en-US/Data/Tor ControlPort 9151 __OwningControllerProcess ... HashedControlPassword 16:0B8B840419FD098C06A1FFE5E7CA2B3D634AA7 581D4044C3738B964741
ofrester ... ... ... ... ... ? Sl 11:09 ... /home/ofrester/tor-browser_en-US/App/Firefox/firefox -no-remote -profile /home/ofrester/tor-browser_en-US/Data/profile
ofrester ... ... ... ... ... pts/1 R+ 11:10 0:00 grep --color=auto tor

When you use Vidalia to start Tor then there is no easy way to do this. You would have to allow every entry node/bridge seperately to block everything but Tor.
You may want to install the Tor package instead:

https://www.torproject.org/docs/debian#development

Also install Privoxy:

apt-get install privoxy

And add this line to /etc/privoxy/config

forward-socks5 / 127.0.0.1:9050 .

Then modiify the start-tor-browser script to only start the Tor Browser, but not Vidalia:
viewtopic.php?f=2&t=18324#p18935 (see step 7.2.1.2.)

Start Tor Browser and make it use Privoxy:
HTTP Proxy: 127.0.0.1
Port: 8118
[x] Use this proxy for all protocols

When that is done you can put the user "debian-tor" in the firewall script.

You may also want to install ARM, so you can get a new identity like with Vidalia:

apt-get install tor-arm

Enter "arm" in a terminal to start it, press "n" to get a new identity or "m" for a menu.

My censored network block me from downloading anything from the repo, where can I download Tor and obfsproxy package?

Add this line to /etc/apt/apt.conf.d/00aptitude

Acquire::socks::Proxy "socks://127.0.0.1:9050";

Then apt-get will use Tor for downloading.

The apt-get still connected directly to the internet when I follow you advice to update, also I tried to change the port number from 9050 to 9150, and then relogin, still didn't work.

Ah right. It tries to get the hostname of the repository server through the internet. If DNS resolving is blocked by your provider then that won't work.
Can you connect to this website? http://packages.ubuntu.com/

Btw you were talking about obfsproxy. Do you use the Pluggable Transports version of Tor? That would make everything a little more complicated, as there is no easy way of getting bridges to add them to the Tor config file.

I can't connect to Tor network without using bridges, best using obfs bridges. If there is no easy way of adding bridges, I think adding the bridges would be out of my ability. Now after inputting the lines in your topic, my tor browser 17.08 which configure to go through Tor network has been unavailable, how to recover?

You can easily add normal Tor bridges to the Tor config file, because it's easy to get a list. But it's not easy to get a list of obfs bridges, because there is no public list.
Which lines do you mean? The ones which TOR Hacker posted? Just replace the username "toranon" with username "ofrester". Note that this will not block all traffic except Tor. It will block all traffic except the traffic from the user account ofrester.

To block all traffic except Tor while still using the pluggable transports TBB you could add a new user account to Ubuntu.

sudo adduser tor-user

Move TBB to the new users home

sudo mv /home/ofrester/tor-browser_en-US /home/tor-user

sudo chown -R tor-user:tor-user /home/tor-user/tor-browser_en-US

Replace the username toranon with tor-user.

iptables -I OUTPUT 1 -m owner --uid-owner tor-user -j ACCEPT

Then you can start Tor from the ofrester account with

xhost +

cd /home/tor-user/tor-browser_en-US

sudo -u tor-user ./start-tor-browser

Never log in as user tor-user however. Always log in as ofrester.

Ah you mean you changed the HTTP proxy settings in Tor Browser and now it won't connect? Just remove the proxy settings again.

Ah you mean you changed the HTTP proxy settings in Tor Browser and now it won't connect? Just remove the proxy settings again.

"NSA"

No, added socks proxy to /etc/apt/apt.conf.d/00aptitude

~> xhost +
access control disabled, clients can connect from any host

"Which lines do you mean? The ones which TOR Hacker posted?"

Yes, I miss