From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/2] add IPtables chain for outgoing Tor traffic
Date: Mon, 11 Mar 2019 20:07:00 +0000
Message-ID: <839d952d-a9d0-db21-3f39-306a0ebacc9f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0906939508924174716=="
List-Id: <development.lists.ipfire.org>

--===============0906939508924174716==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

If Tor is operating in relay mode, it has to open a lot of outgoing
TCP connections. These should be separated from any other outgoing
connections, as allowing _all_ outgoing traffic will be unwanted and
risky in most cases.

Thereof, Tor will be running as a dedicated user (see second patch),
allowing usage of user-based IPtables rulesets.

Partially fixes #11779.

Singed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
---
 src/initscripts/packages/tor    | 4 ++++
 src/initscripts/system/firewall | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/packages/tor b/src/initscripts/packages/tor
index 551538e2f..754a2786f 100644
--- a/src/initscripts/packages/tor
+++ b/src/initscripts/packages/tor
@@ -21,8 +21,11 @@ function setup_firewall() {
 	# Flush all rules.
 	flush_firewall
=20
+	# Allow incoming traffic to Tor relay (and directory) port and
+	# all outgoing TCP connections from Tor user.
 	if [ "${TOR_RELAY_ENABLED}" =3D "on" -a -n "${TOR_RELAY_PORT}" ]; then
 		iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
+		iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
 	fi
=20
 	if [ "${TOR_RELAY_ENABLED}" =3D "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "$=
{TOR_RELAY_DIRPORT}" -ne 0 ]; then
@@ -33,6 +36,7 @@ function setup_firewall() {
 function flush_firewall() {
 	# Flush all rules.
 	iptables -F TOR_INPUT
+	iptables -F TOR_OUTPUT
 }
=20
 case "${1}" in
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2739a6834..cb533cc94 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -294,9 +294,11 @@ iptables_init() {
 	iptables -N OVPNINPUT
 	iptables -A INPUT -j OVPNINPUT
=20
-	# Tor
+	# Tor (inbound and outbound)
 	iptables -N TOR_INPUT
 	iptables -A INPUT -j TOR_INPUT
+	iptables -N TOR_OUTPUT
+	iptables -A OUTPUT -j TOR_OUTPUT
 =09
 	# Jump into the actual firewall ruleset.
 	iptables -N INPUTFW
--=20
2.16.4

--===============0906939508924174716==--