Blocking all local outbound non-Tor traffic with iptables

A few simple iptables commands can achieve this. (Note: If you are using SSH, these will block you immediately!).

In order for these to work, you must ensure the --uid-owner option is followed by the Tor user account on your system. This user is debian-tor in both Debian and Ubuntu, Gentoo uses just tor, other distributions may have different ones. If you're unsure, you can list your user accounts by issuing the command cat /etc/passwd.

As root, execute the following commands:

# iptables -F OUTPUT
# iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# iptables -A OUTPUT -j ACCEPT -o lo
# iptables -A OUTPUT -j ACCEPT -p udp --dport 123
# iptables -P OUTPUT DROP
# iptables -L -v

The last command will display the number of packets that have been allowed through per rule or else dropped.

Notice: The line containing iptables -A OUTPUT -j ACCEPT -p udp --dport 123 is used to allow outbound NTP connections that are not routed over Tor. The line containing iptables -A OUTPUT -j ACCEPT -o lo is used to allow traffic over the loopback device and is completely safe.

The above commands only set rules for IPv4 traffic. To block outbound non-Tor IPv6 traffic, you will have to use ip6tables. Execute the following commands as root:

# ip6tables -F OUTPUT
# ip6tables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
# ip6tables -A OUTPUT -j ACCEPT -o lo
# ip6tables -P OUTPUT DROP

(addition by mathew, start)

I worked out further on this. Will try to show the script that I use to run protection for system tor, as above, along with TBB-Tor. Based on: Prevent and LOG any potential DNS-leakage with iptables (Debian GNU/Linux way) and other tips (and some experience).

echo; echo "++++++"
echo "Pls., just comment out all the \"sleep 2\" lines, once you figure out this script"
echo "It then runs in one go, no delays."
echo "++++++"; echo

# vars

# Debian, Ubuntu... stock install
TOR_UID=$(id -u debian-tor)
echo \$TOR_UID: $TOR_UID
sleep 2

# After issued: "addgroup --system tbb-tor", with password ("gpasswd tbb-tor")
TBB_GID=$(cat /etc/group | grep tbb-tor | awk -F: '{ print $3 }')
echo \$TBB_GID: $TBB_GID
sleep 2

echo " * flushing old rules (filter)"
$iptables -t filter -X; $iptables -t filter -F
sleep 2

echo " * flushing the nat table"
$iptables -t nat -X; $iptables -t nat -F
sleep 2

echo " * flushing the mangle table"
$iptables -t mangle -X; $iptables -t mangle -F
sleep 2

echo " * flushing the raw table"
$iptables -t raw -X; $iptables -t raw -F
sleep 2

echo "cat /proc/sys/net/ipv4/ip_forward :"
cat /proc/sys/net/ipv4/ip_forward
sleep 2

echo " * Set default policies for INPUT FORWARD (OUTPUT commented out)"
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
sleep 2

echo " * Enable free use of loopback interface on INPUT"
$iptables -I INPUT 1 -i lo -j ACCEPT
sleep 2

echo " * All TCP sessions should begin with SYN"
$iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level error --log-prefix tor_rules_no_syn
$iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
sleep 2

echo " * Allow ESTABLISHED packets at INTPUT"
#$iptables -A INPUT -m state --state ESTABLISHED -j LOG --log-level error --log-prefix tor_rules_est
# acceptable option s/ESTABLISHED/ESTABLISHED,RELATED/ instead
$iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sleep 2
echo " * Enable free use of loopback interface on OUTPUT"
$iptables -A OUTPUT -o lo -j ACCEPT
sleep 2

echo " * allowing all if owner debian-tor at OUTPUT"
$iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT

echo " * allowing all if gid-owner tbb-tor at OUTPUT"
$iptables -A OUTPUT -m owner --gid-owner $TBB_GID -j ACCEPT
sleep 2

echo " * DROP everything else and Log it"
$iptables -P OUTPUT DROP
sleep 2

echo " * saving settings"
/sbin/iptables-save > /etc/iptables.up.rules

As root, chmod 700 <the-above-script>. Execute it as root. And a little more to do...

You need to change group ownership of the entire Tor Browser Bundle uncompressed archive (for which we created the group tbb-tor), like (if I remember correctly):

# chgrp -R tbb-tor tor-browser_en-US/

What I do know, is than no packets go out into deep web from the machine with iptables set with the script like that one mine above (pls. do check if I made any typoes...). It's only Tor. And you can run both the Debian system tor and the Tor Browser Bundle. Only to darkweb the traffic goes...

And you run the TBB like this:

$ cd tor-browser_en-US/
$ sg tbb-tor -c ./start-tor-browser

(end of mathew's addition)

Last modified 10 months ago Last modified on Dec 29, 2019, 9:14:36 PM