* [PATCH 1/2] add IPtables chain for outgoing Tor traffic
@ 2019-03-11 20:07 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2019-03-11 20:07 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2015 bytes --]
If Tor is operating in relay mode, it has to open a lot of outgoing
TCP connections. These should be separated from any other outgoing
connections, as allowing _all_ outgoing traffic will be unwanted and
risky in most cases.
Thereof, Tor will be running as a dedicated user (see second patch),
allowing usage of user-based IPtables rulesets.
Partially fixes #11779.
Singed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
src/initscripts/packages/tor | 4 ++++
src/initscripts/system/firewall | 4 +++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/initscripts/packages/tor b/src/initscripts/packages/tor
index 551538e2f..754a2786f 100644
--- a/src/initscripts/packages/tor
+++ b/src/initscripts/packages/tor
@@ -21,8 +21,11 @@ function setup_firewall() {
# Flush all rules.
flush_firewall
+ # Allow incoming traffic to Tor relay (and directory) port and
+ # all outgoing TCP connections from Tor user.
if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then
iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
+ iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
fi
if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "${TOR_RELAY_DIRPORT}" -ne 0 ]; then
@@ -33,6 +36,7 @@ function setup_firewall() {
function flush_firewall() {
# Flush all rules.
iptables -F TOR_INPUT
+ iptables -F TOR_OUTPUT
}
case "${1}" in
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2739a6834..cb533cc94 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -294,9 +294,11 @@ iptables_init() {
iptables -N OVPNINPUT
iptables -A INPUT -j OVPNINPUT
- # Tor
+ # Tor (inbound and outbound)
iptables -N TOR_INPUT
iptables -A INPUT -j TOR_INPUT
+ iptables -N TOR_OUTPUT
+ iptables -A OUTPUT -j TOR_OUTPUT
# Jump into the actual firewall ruleset.
iptables -N INPUTFW
--
2.16.4
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-03-11 20:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-11 20:07 [PATCH 1/2] add IPtables chain for outgoing Tor traffic Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox