I have been fiddling with setting up both iptables and tor on my local machine. Most of it was fairly easy to do, once I dedicated the time to actually do it. Configuring both “at the same time” also made things easier for me, but YMMV. Regardless, it did take quite a while researching, tweaking and testing – most of that time was spent on the iptables front for me.
I ended up doing this incrementally. The major 5 steps I went through were:
- Created a basic incoming (INPUT) firewall – enforcing
- Installed tor + torsocks and aliased a few commands to run with torsocks
- Created a basic outgoing (OUTPUT) firewall – permissive
- Make the outgoing firewall enforcing
- Migrate the majority of programs and services to use tor.
Some of these overlapped time-wise and I certainly revisited the configuration a couple of times. A couple of things, that I learned:
- You probably want to have a look at “
netstat --listen -put --numeric” when you write your INPUT firewall. - The tor developers have tried a lot to make things easy. It is scary how often “
torsocks program [args]” just works(tm).- That said, it does not always work.
- Tor and iptables (OUTPUT) can have a synergy effect on each other.
- Notably, when it is easier to just “
torsocks” a program than adding the necessary iptables rules.
- Notably, when it is easier to just “
- Writing iptables rules become a lot easier once:
- You learn how to iptables’s LOG rule
- You use sensible-editor + iptables-restore or something like puppet’s firewall module
Filed under: Debian Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
