How to block all traffic exept Tor


3 years ago
On a Linux system, there is an easy way to block all inbound and outbound traffic unless it passes through the Tor network.

A few simple iptables commands can do this (note that if you are using SSH this will block you immediately!)


# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP

# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -I INPUT 2 -i lo -j ACCEPT

# iptables -I OUTPUT 1 -m owner --uid-owner toranon -j ACCEPT
# iptables -A OUTPUT -j ACCEPT -o lo
# iptables -A OUTPUT -j ACCEPT -p udp --dport 123


Where toranon is username under which tor is run. In Debian there is "debian-tor" instead, on Gentoo it just "tor", Cent-OS uses "toranon", Ubuntu - just "tor".


So by adding these rules you will have all your traffic blocked, unless it comes from uid of 'tor'.

3 years ago
Therefore in support of in that case do you have many of the instruction you might possibly really want to get

3 years ago
Do you mean replace "toranon" with your tor name? If so, how to get the tor name that is running in my system, as there are a lot of different Linux contributions

3 years ago
iptables -A OUTPUT -j ACCEPT -p udp --dport 123


Note that this will allow network time protocol connections. An adversary could intercept the connection between your computer and the NTP server and give you the wrong time. That could be used to de-anonymize you. Another attack possibility is when your machine gets infected with malware, e.g. by JavaScript exploits of the web browser. Then the attacker could send clearnet traffic to a destination port 123 anywhere on the internet without gaining root access. Then your real IP adress will be known to the destination server.

To prevent this you could close the port and use tlsdate, or whatever Whonix or Tails uses.

https://www.whonix.org/wiki/Dev/TimeSync#Attacks
http://manpages.ubuntu.com/manpages/rar ... ate.1.html

3 years ago
Do you mean replace "toranon" with your tor name? If so, how to get the tor name that is running in my system, as there are a lot of different Linux contributions
"ofrester"

Often you can find the username it with

cat /etc/passwd | grep tor

or while Tor is running

sudo ps aux | grep tor

3 years ago
I'm using TBB in Ubuntu 12.04, typing

iptables -I OUTPUT 1 -m owner --uid-owner tor -j ACCEPT

in terminal returns error message, should I?

3 years ago
@ofrester
Replace tor with debian-tor

3 years ago
root@ubuntu:~# iptables -P INPUT DROP
root@ubuntu:~# iptables -P OUTPUT DROP
root@ubuntu:~# iptables -P FORWARD DROP
root@ubuntu:~# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPTroot@ubuntu:~# # iptables -I INPUT 2 -i lo -j ACCEPT
root@ubuntu:~# iptables -I OUTPUT 1 -m owner --uid-owner debian-tor -j ACCEPT
iptables v1.4.12: owner: Bad value for "--uid-owner" option: "debian-tor"
Try `iptables -h' or 'iptables --help' for more information.
root@ubuntu:~# iptables -A OUTPUT -j ACCEPT -o lo
root@ubuntu:~# iptables -A OUTPUT -j ACCEPT -p udp --dport 123

3 years ago
Which version of Ubuntu is that? What do you get when you type this:
ps aux | grep /usr/bin/tor

3 years ago
12.04

ofrester@ubuntu:~$ ps aux | grep tor
...
...
ofrester ... 0.0 0.0 ... ... ? S 11:08 0:00 /bin/sh /home/ofrester/tor-browser_en-US/start-tor-browser
ofrester ... ... ... ... ... ? S 11:08 0:03 /home/ofrester/tor-browser_en-US/App/./tor -f /home/ofrester/tor-browser_en-US/App/../Data/Tor/torrc DataDirectory /home/ofrester/tor-browser_en-US/Data/Tor ControlPort 9151 __OwningControllerProcess ... HashedControlPassword 16:0B8B840419FD098C06A1FFE5E7CA2B3D634AA7 581D4044C3738B964741
ofrester ... ... ... ... ... ? Sl 11:09 ... /home/ofrester/tor-browser_en-US/App/Firefox/firefox -no-remote -profile /home/ofrester/tor-browser_en-US/Data/profile
ofrester ... ... ... ... ... pts/1 R+ 11:10 0:00 grep --color=auto tor

3 years ago
When you use Vidalia to start Tor then there is no easy way to do this. You would have to allow every entry node/bridge seperately to block everything but Tor.
You may want to install the Tor package instead:

https://www.torproject.org/docs/debian#development

Also install Privoxy:
apt-get install privoxy


And add this line to /etc/privoxy/config
forward-socks5 / 127.0.0.1:9050 .


Then modiify the start-tor-browser script to only start the Tor Browser, but not Vidalia:
viewtopic.php?f=2&t=18324#p18935 (see step 7.2.1.2.)

Start Tor Browser and make it use Privoxy:
HTTP Proxy: 127.0.0.1
Port: 8118
[x] Use this proxy for all protocols

When that is done you can put the user "debian-tor" in the firewall script.

You may also want to install ARM, so you can get a new identity like with Vidalia:
apt-get install tor-arm


Enter "arm" in a terminal to start it, press "n" to get a new identity or "m" for a menu.

3 years ago
My censored network block me from downloading anything from the repo, where can I download Tor and obfsproxy package?

3 years ago
Add this line to /etc/apt/apt.conf.d/00aptitude
Acquire::socks::Proxy "socks://127.0.0.1:9050";


Then apt-get will use Tor for downloading.

3 years ago
The apt-get still connected directly to the internet when I follow you advice to update, also I tried to change the port number from 9050 to 9150, and then relogin, still didn't work.

3 years ago
Ah right. It tries to get the hostname of the repository server through the internet. If DNS resolving is blocked by your provider then that won't work.
Can you connect to this website? http://packages.ubuntu.com/

Btw you were talking about obfsproxy. Do you use the Pluggable Transports version of Tor? That would make everything a little more complicated, as there is no easy way of getting bridges to add them to the Tor config file.

3 years ago
I can't connect to Tor network without using bridges, best using obfs bridges. If there is no easy way of adding bridges, I think adding the bridges would be out of my ability. Now after inputting the lines in your topic, my tor browser 17.08 which configure to go through Tor network has been unavailable, how to recover?

3 years ago
You can easily add normal Tor bridges to the Tor config file, because it's easy to get a list. But it's not easy to get a list of obfs bridges, because there is no public list.
Which lines do you mean? The ones which TOR Hacker posted? Just replace the username "toranon" with username "ofrester". Note that this will not block all traffic except Tor. It will block all traffic except the traffic from the user account ofrester.

To block all traffic except Tor while still using the pluggable transports TBB you could add a new user account to Ubuntu.
sudo adduser tor-user

Move TBB to the new users home
sudo mv /home/ofrester/tor-browser_en-US /home/tor-user
sudo chown -R tor-user:tor-user /home/tor-user/tor-browser_en-US

Replace the username toranon with tor-user.
iptables -I OUTPUT 1 -m owner --uid-owner tor-user -j ACCEPT

Then you can start Tor from the ofrester account with

xhost +
cd /home/tor-user/tor-browser_en-US
sudo -u tor-user ./start-tor-browser


Never log in as user tor-user however. Always log in as ofrester.

3 years ago
Ah you mean you changed the HTTP proxy settings in Tor Browser and now it won't connect? Just remove the proxy settings again.

3 years ago
Ah you mean you changed the HTTP proxy settings in Tor Browser and now it won't connect? Just remove the proxy settings again.
"NSA"

No, added socks proxy to /etc/apt/apt.conf.d/00aptitude

3 years ago
~> xhost +
access control disabled, clients can connect from any host

3 years ago
"Which lines do you mean? The ones which TOR Hacker posted?"

Yes, I miss

Reply

You are not logged in. Login or register to reply on this thread.