LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-12-2017, 07:06 AM   #1
ZehnFranken
LQ Newbie
 
Registered: Feb 2017
Posts: 1

Rep: Reputation: Disabled
Iptables - routing all traffic through tor (hidden service on a raspberry pi).


Hey there,
as you can probably tell from the subject, I'd greatly appreciate some help configuring my iptables rule set.
I wanted to host a hidden service on my raspberry pi, for fun. So far, I have put some effort into securing ssh connections, by forcing public key authentication - among other things.
Right now, I'm working on iptables rules. My goal is to force all traffic through tor, while still allowing me to access the server via ssh (which I have enabled on port 1357).
I'm still quite new to iptables, but this is the script I wrote so far:

Code:
#!/bin/bash

IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
$IPTABLES -A OUTPUT -j ACCEPT -o lo
$IPTABLES -A OUTPUT -j ACCEPT -p udp --dport 123

$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 1357 -m state --state NEW,ESTABLISHED
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --sport 1357 -m state --state ESTABLISHED
Are there any security flaws in this, or can I improve on anything? I was told that allowing time synchronisation with NTP was very important, hence I added the rule
Code:
$IPTABLES -A OUTPUT -j ACCEPT -p udp --dport 123
. Thank you all in advance!
 
Old 02-12-2017, 07:34 PM   #2
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
I don't see any reason to have output as DROP, that is going outbound and so you are just making services you are using timeout instead of return a prompt "connection was refused"

One suggestion is putting a limit on the new connections to SSH or using a service such as Fail2ban, just block off any attacks against the SSH ports. While putting it on another port might trick the bots, if anybody is gunna do port scans then they will find it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How To setup Asterisk VoIP server over OpenVPN in Tor hidden service. Norbert Szczybelski Linux - Security 0 01-12-2017 02:46 AM
Routing traffic to wlan0 hotspot server using iptables - troubles scotthill Linux - Wireless Networking 1 05-24-2015 10:53 AM
LXer: How To Set Up A TOR Middlebox Routing All VirtualBox Virtual Machine Traffic Over The TOR Netw LXer Syndicated Linux News 0 02-08-2012 11:30 AM
[SOLVED] IPtables&routing on an Untangle box, need some advice, traffic not being returned scheidel21 Linux - Networking 3 09-02-2010 08:57 AM
TOR: traffic between my workstation TOR entry point really not encrypted..? john99 Incognito 3 11-11-2009 01:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration