Iptables to allow only ultrasurf+privoxy with ultrasurf as its parent proxy
 

Privoxy is an HTTP proxy that can be set up to use ultrasurf as a parent proxy, whereby ultrasurf sets up a tunnel to a server provided by Ultrasurf Inc so you access the internet through the tunnel for anonymity while privoxy takes some care of privacy.

This works well. Except ultrasurf also scans certain web servers without telling anyone, which can be blocked with iptables:

iptables -A OUTPUT -p tcp -d 65.49.14.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp -s 65.49.14.0/24 -j ACCEPT
iptables -P OUTPUT DROP

Ultrasurf works happily like this, only able to access its creator's server and nothing else. For example firefox can be set up with ultrasurf as the HTTP proxy, at 127.0.0.1:9666, and it works fine.

However, privoxy does not work with ultrasurf as the parent proxy if the above iptables rules are used. Only seen it working like this:

iptables -P OUTPUT ACCEPT

But then nothing is blocked and ultrasurf does its naughty scanning of assorted web servers without telling anyone.

What rules should be used to block ultrasurf but allow privoxy to have it as its parent proxy?

Here's the magical rule that makes it work:

iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT

Another useful rule that helped discover the need for the above rule:

iptables -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables OUTPUT chain:" --log-level 7

This generates messages in the log that can be read using:

dmesg | grep "iptables OUTPUT chain:"