How to block all local outbound traffic except for Tor in Debian.

A few simple "iptables" commands can do this (note that if you are using SSH these will block you immediately!). As root, enter:

# iptables -F OUTPUT
# iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# iptables -A OUTPUT -j ACCEPT -o lo
# iptables -A OUTPUT -j ACCEPT -p udp --dport 123
# iptables -P OUTPUT DROP
# iptables -L -v

The last command will display the number of packets that have been allowed through per rule or else dropped.

The only reason this is specific to debian is the username, "debian-tor." (What user does tor run as on other distros?) Ubuntu also uses "debian-tor". On Gentoo it is just "tor", other none-debian based distros may also use this.

It should be noted that the line containing iptables -A OUTPUT -j ACCEPT -p udp --dport 123 is used to allow outbound NTP connections that are not routed over tor.
The line containing iptables -A OUTPUT -j ACCEPT -o lo is used to allow traffic over the loopback device and is completely safe.

Last modified 22 months ago Last modified on Mar 29, 2015, 1:04:39 AM