LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-05-2016, 01:05 AM   #1
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Rep: Reputation: 10
Thumbs down Tor and iptables.


Hello.
I use Debian 8 amd64 with below iptables rules :
Code:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
           tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW recent: UPDATE seconds: 180 hit_count: 4 name: DEFAULT side: source mask: 255.255.255.255
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere             recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG        tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn recent: SET name: portscan side: source mask: 255.255.255.255 LOG level warning prefix "portscan:"
DROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn recent: SET name: portscan side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DROP       all  --  anywhere             anywhere             recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG        tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn recent: SET name: portscan side: source mask: 255.255.255.255 LOG level warning prefix "portscan:"
DROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn recent: SET name: portscan side: source mask: 255.255.255.255

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere
I like to use "Tor" but as you see my iptables rules can't allow it, How can I solve it? I found below rules :
Code:
#allow tor and polipo access to loopback
iptables -I INPUT -j ACCEPT -i lo -p tcp --dport 8118:9050 --sport 1:65000
iptables -A OUTPUT -j ACCEPT -o lo -p tcp --dport 1:65000 --sport 8118:9050
But why "--sport 1:65000" and "--dport 1:65000"? I guess it mean 1 to 65000 ports. I don't like to open any extra ports.

Thank you.
 
Old 12-05-2016, 01:08 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Do an iptables-save > my-rules and post those rules.
The are easier to read.
 
Old 12-06-2016, 12:27 AM   #3
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by lazydog View Post
Do an iptables-save > my-rules and post those rules.
The are easier to read.
Code:
# Generated by iptables-save v1.4.21 on Mon Dec  5 09:56:34 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Mon Dec  5 09:56:34 2016
 
Old 12-06-2016, 03:31 AM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,161
Blog Entries: 3

Rep: Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562
This line needs to be moved to the end of your INPUT chain:

Code:
-A INPUT -j REJECT --reject-with icmp-port-unreachable
Otherwise all the rules that follow afterwards, including those for Tor, are never reached and thus fail.
 
Old 12-06-2016, 06:43 AM   #5
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
This line needs to be moved to the end of your INPUT chain:

Code:
-A INPUT -j REJECT --reject-with icmp-port-unreachable
Otherwise all the rules that follow afterwards, including those for Tor, are never reached and thus fail.
Thank you, But why? Tor need Input?
 
Old 12-06-2016, 06:49 AM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,161
Blog Entries: 3

Rep: Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562
Quote:
Originally Posted by hack3rcon View Post
Thank you, But why? Tor need Input?
It depends on what kind of Tor service you are providing or using. If you are providing a bridge, guard, middle node, or exit relay then you need a way for other computers to contact your Tor service. That means a single port should be opened, but not a port range.

If you are just running the Tor Browser Bundle then you don't need any special rules for the INPUT chain as far as Tor is concerned. However, if you are running any kind of relay, then you need to be reachable on the one port that you've configured Tor to listen to.

But in general, only the last rule in the chain should be a blanket REJECT.
 
Old 12-06-2016, 10:02 AM   #7
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
It depends on what kind of Tor service you are providing or using. If you are providing a bridge, guard, middle node, or exit relay then you need a way for other computers to contact your Tor service. That means a single port should be opened, but not a port range.

If you are just running the Tor Browser Bundle then you don't need any special rules for the INPUT chain as far as Tor is concerned. However, if you are running any kind of relay, then you need to be reachable on the one port that you've configured Tor to listen to.

But in general, only the last rule in the chain should be a blanket REJECT.
I just use TorBrowser. I never run any Bridge or...
 
Old 12-06-2016, 10:06 AM   #8
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
From what I am seeing you added these rules with the following:
Code:
iptables -A INPUT ......
The -A (ADD) adds the rules to the end of the chain

When you want to add rules to an already running firewall you need to learn and understand how to use:
Code:
 iptables -I INPUT # ......
The -I (INSERT) places the rule at the location you specify with the '#' after the chain name.

This allows you to place the rule where you need it which is normally above any DROP or REJECT rule in the chain.
The -I work on all chains.

Last edited by lazydog; 12-06-2016 at 10:10 AM.
 
Old 12-06-2016, 10:07 AM   #9
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,161
Blog Entries: 3

Rep: Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562
Quote:
Originally Posted by hack3rcon View Post
I just use TorBrowser. I never run any Bridge or...
Ok. Then you do not need any special rules in the INPUT chain for Tor.
 
Old 12-07-2016, 12:23 AM   #10
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
Ok. Then you do not need any special rules in the INPUT chain for Tor.
Then, Why my TorBrowser not work
 
Old 12-07-2016, 12:23 AM   #11
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by lazydog View Post
From what I am seeing you added these rules with the following:
Code:
iptables -A INPUT ......
The -A (ADD) adds the rules to the end of the chain

When you want to add rules to an already running firewall you need to learn and understand how to use:
Code:
 iptables -I INPUT # ......
The -I (INSERT) places the rule at the location you specify with the '#' after the chain name.

This allows you to place the rule where you need it which is normally above any DROP or REJECT rule in the chain.
The -I work on all chains.
Can you correct my rules?
 
Old 12-07-2016, 03:29 AM   #12
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,161
Blog Entries: 3

Rep: Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562
Quote:
Originally Posted by hack3rcon View Post
Can you correct my rules?
Can you make a short list of which services you are running that need to listen for an outside connection? For example, do you have OpenSSH server or Apache2?

Or is the machine more or less a standard desktop?
 
Old 12-07-2016, 09:29 AM   #13
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182
A staple of diagnosing this sort of thing is tcpdump, or better yet a GUI tool like WireShark.

You need to see the packets as they come and go, even though you cannot read their content. You need to see what comes in and what is subsequently done to it. It is very difficult by comparison to deduce this: there are simply too many players in the game, even with a small (home) network.
 
Old 12-07-2016, 09:52 AM   #14
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
Can you make a short list of which services you are running that need to listen for an outside connection? For example, do you have OpenSSH server or Apache2?

Or is the machine more or less a standard desktop?
No, It just a Standard Desktop and I like to secure it against hackers. Ass you see my current rules are good and doing scanner blocking via iptables.

Last edited by hack3rcon; 12-07-2016 at 09:58 AM.
 
Old 12-07-2016, 10:13 AM   #15
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,161
Blog Entries: 3

Rep: Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562Reputation: 2562
If it's just a standard desktop, then you don't need much in the filter rules as far as a basic set up is concerned.

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
That should do it. If you need to log into that machine with SSH, then add the rules for port 22 back in.

If you still can't use the Tor Browser Bundle with that short rule set, then maybe you should look at using a bridge or obfsproxy
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Tails 2.6 Anonymous Linux Live CD Is Out, Brings Tor 0.2.8.7 and Tor Browser 6.0.5 LXer Syndicated Linux News 0 09-21-2016 01:32 AM
LXer: Tor Browser 4.5.2 Is Out with the Latest Tor Anonymity Network Software LXer Syndicated Linux News 0 06-17-2015 02:40 PM
Iptables Rules For Tor On Alternative Ports Mytob Linux - Networking 2 02-16-2015 02:29 AM
block tor users with iptables? qwertyjjj Linux - Newbie 5 04-13-2013 05:59 PM
Tor, Squid, Privoxy behind iptables firewall mistersnorfles Linux - Security 7 12-13-2007 04:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration