Tor and iptables.

hack3rcon · 12-05-2016, 01:05 AM

Hello.
I use Debian 8 amd64 with below iptables rules :

Code:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
           tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: UPDATE seconds: 180 hit_count: 4 name: DEFAULT side: source mask: 255.255.255.255
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere             recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG        tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn recent: SET name: portscan side: source mask: 255.255.255.255 LOG level warning prefix "portscan:"
DROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn recent: SET name: portscan side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere             recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG        tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn recent: SET name: portscan side: source mask: 255.255.255.255 LOG level warning prefix "portscan:"
DROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn recent: SET name: portscan side: source mask: 255.255.255.255

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere

I like to use "Tor" but as you see my iptables rules can't allow it, How can I solve it? I found below rules :

Code:

#allow tor and polipo access to loopback
iptables -I INPUT -j ACCEPT -i lo -p tcp --dport 8118:9050 --sport 1:65000
iptables -A OUTPUT -j ACCEPT -o lo -p tcp --dport 1:65000 --sport 8118:9050

But why "--sport 1:65000" and "--dport 1:65000"? I guess it mean 1 to 65000 ports. I don't like to open any extra ports.

Thank you.

lazydog · 12-05-2016, 01:08 PM

Do an iptables-save > my-rules and post those rules.
The are easier to read.

hack3rcon · 12-06-2016, 12:27 AM

Quote:

Originally Posted by lazydog

Do an iptables-save > my-rules and post those rules.
The are easier to read.

Code:

# Generated by iptables-save v1.4.21 on Mon Dec  5 09:56:34 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Mon Dec  5 09:56:34 2016

Turbocapitalist · 12-06-2016, 03:31 AM

This line needs to be moved to the end of your INPUT chain:

Code:

-A INPUT -j REJECT --reject-with icmp-port-unreachable

Otherwise all the rules that follow afterwards, including those for Tor, are never reached and thus fail.

hack3rcon · 12-06-2016, 06:43 AM

Quote:

Originally Posted by Turbocapitalist

This line needs to be moved to the end of your INPUT chain:

Code:

-A INPUT -j REJECT --reject-with icmp-port-unreachable

Otherwise all the rules that follow afterwards, including those for Tor, are never reached and thus fail.

Thank you, But why? Tor need Input?

Turbocapitalist · 12-06-2016, 06:49 AM

Quote:

Originally Posted by hack3rcon

Thank you, But why? Tor need Input?

It depends on what kind of Tor service you are providing or using. If you are providing a bridge, guard, middle node, or exit relay then you need a way for other computers to contact your Tor service. That means a single port should be opened, but not a port range.

If you are just running the Tor Browser Bundle then you don't need any special rules for the INPUT chain as far as Tor is concerned. However, if you are running any kind of relay, then you need to be reachable on the one port that you've configured Tor to listen to.

But in general, only the last rule in the chain should be a blanket REJECT.

hack3rcon · 12-06-2016, 10:02 AM

Quote:

Originally Posted by Turbocapitalist

It depends on what kind of Tor service you are providing or using. If you are providing a bridge, guard, middle node, or exit relay then you need a way for other computers to contact your Tor service. That means a single port should be opened, but not a port range.

If you are just running the Tor Browser Bundle then you don't need any special rules for the INPUT chain as far as Tor is concerned. However, if you are running any kind of relay, then you need to be reachable on the one port that you've configured Tor to listen to.

But in general, only the last rule in the chain should be a blanket REJECT.

I just use TorBrowser. I never run any Bridge or...

lazydog · 12-06-2016, 10:06 AM

From what I am seeing you added these rules with the following:

Code:

iptables -A INPUT ......

The -A (ADD) adds the rules to the end of the chain

When you want to add rules to an already running firewall you need to learn and understand how to use:

Code:

 iptables -I INPUT # ......

The -I (INSERT) places the rule at the location you specify with the '#' after the chain name.

This allows you to place the rule where you need it which is normally above any DROP or REJECT rule in the chain.
The -I work on all chains.

Turbocapitalist · 12-06-2016, 10:07 AM

Quote:

Originally Posted by hack3rcon

I just use TorBrowser. I never run any Bridge or...

Ok. Then you do not need any special rules in the INPUT chain for Tor.

hack3rcon · 12-07-2016, 12:23 AM

Quote:

Originally Posted by Turbocapitalist

Ok. Then you do not need any special rules in the INPUT chain for Tor.

Then, Why my TorBrowser not work

hack3rcon · 12-07-2016, 12:23 AM

Quote:

Originally Posted by lazydog

From what I am seeing you added these rules with the following:

Code:

iptables -A INPUT ......

The -A (ADD) adds the rules to the end of the chain

When you want to add rules to an already running firewall you need to learn and understand how to use:

Code:

 iptables -I INPUT # ......

The -I (INSERT) places the rule at the location you specify with the '#' after the chain name.

This allows you to place the rule where you need it which is normally above any DROP or REJECT rule in the chain.
The -I work on all chains.

Can you correct my rules?

Turbocapitalist · 12-07-2016, 03:29 AM

Quote:

Originally Posted by hack3rcon

Can you correct my rules?

Can you make a short list of which services you are running that need to listen for an outside connection? For example, do you have OpenSSH server or Apache2?

Or is the machine more or less a standard desktop?

sundialsvcs · 12-07-2016, 09:29 AM

A staple of diagnosing this sort of thing is tcpdump, or better yet a GUI tool like WireShark.

You need to see the packets as they come and go, even though you cannot read their content. You need to see what comes in and what is subsequently done to it. It is very difficult by comparison to deduce this: there are simply too many players in the game, even with a small (home) network.

hack3rcon · 12-07-2016, 09:52 AM

Quote:

Originally Posted by Turbocapitalist

Can you make a short list of which services you are running that need to listen for an outside connection? For example, do you have OpenSSH server or Apache2?

Or is the machine more or less a standard desktop?

No, It just a Standard Desktop and I like to secure it against hackers. Ass you see my current rules are good and doing scanner blocking via iptables.

Turbocapitalist · 12-07-2016, 10:13 AM

If it's just a standard desktop, then you don't need much in the filter rules as far as a basic set up is concerned.

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

That should do it. If you need to log into that machine with SSH, then add the rules for port 22 back in.

If you still can't use the Tor Browser Bundle with that short rule set, then maybe you should look at using a bridge or obfsproxy