wiki:doc/BlockingNonTorTraffic

Blocking all local outbound non-Tor traffic with iptables

A few simple iptables commands can achieve this. (Note: If you are using SSH, these will block you immediately!).

In order for these to work, you must ensure the --uid-owner option is followed by the Tor user account on your system. This user is debian-tor in both Debian and Ubuntu, Gentoo uses just tor, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command cat /etc/passwd.

As root, enter:

$ iptables -F OUTPUT
$ iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
$ iptables -A OUTPUT -j ACCEPT -o lo
$ iptables -A OUTPUT -j ACCEPT -p udp --dport 123
$ iptables -P OUTPUT DROP
$ iptables -L -v

The last command will display the number of packets that have been allowed through per rule or else dropped.

Notice: The line containing iptables -A OUTPUT -j ACCEPT -p udp --dport 123 is used to allow outbound NTP connections that are not routed over Tor. The line containing iptables -A OUTPUT -j ACCEPT -o lo is used to allow traffic over the loopback device and is completely safe.

Last modified 6 months ago Last modified on Mar 16, 2018, 12:44:32 AM