I’m running a Tor exit relay on ports 9030 for advertising directory connections and 9001 for advertising incoming Tor connections. In the spirit of proxy-proofing my relay, I’d like to expose the directory and Tor connections on 80 and 443. I’ve spent hours trying to get my iptables config correct, but never successfully.
I’m running CentOS 6 with SELinux enabled. Swap and /tmp are encrypted. SSH is set to public key auth only and limited to a single user. Root login is disabled, as is X11 forwarding. No other services are active and log retainment is set to a short interval. It’s a dedicated box in data center with a 100Mbit, unmetered networking connection. The box’s sole purpose in life is to be an exit node.
My current iptables looks like this:
# Generated by iptables-save v1.4.7 on Sat Oct 12 13:52:47 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j ACCEPT COMMIT
I tried adding the following rules without success:
iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 80 -j REDIRECT —to-ports 10091 iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 443 -j REDIRECT —to-ports 10090
There was also a binding issue due to Tor being blocked from binding to 10091 and 10090, which I fixed with semanage port. But the logs still indicated that the ORPort and DirPort were not reachable from the outside.
I think I’m missing some other key iptable routing directives, but I can’t figure them out. I want 80 and 443 publicly exposed, but 10091 and 10090 to not be accessible from the internet.
I’ve read countless FAQs, how-tos, message board posts, Linux books, the Tor mailing lists, and the answer still eludes me. It’s maddening. If anyone can provide any assistance, I’d be greatly appreciative.
If I’m running the directory connections on port 80, should I still setup a vhost on the relay with the exit notice or can I just point to it in the torrc file?
.cpj
Hy fellowoperator :D
First of all your iptables rule-set is useless because your default policy is to ACCEPT everything. I can not believe that you read books about it at then post something like this.
Secondly do not copy&paste from the i-net if you really do not know what you are doing!
So if i got that right, you want to advertise different ports than default? This should be changed in the /etc/tor/torrc Look for lines that sound like this
1.) ## Required: what port to advertise for incoming Tor connections. #ORPort 9001 ## If you want to listen on a port other than the one advertised in ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as ## follows. You'll need to do ipchains or other port forwarding ## yourself to make this work. #ORPort 443 NoListen #ORPort 127.0.0.1:9090 NoAdvertise
and change it to ORPort 80
2.) ## Uncomment this to mirror directory information for others. Please do ## if you have enough bandwidth. #DirPort 9030 # what port to advertise for directory connections ## If you want to listen on a port other than the one advertised in ## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as ## follows. below too. You'll need to do ipchains or other port ## forwarding yourself to make this work. #DirPort 80 NoListen #DirPort 127.0.0.1:9091 NoAdvertise ## Uncomment to return an arbitrary blob of html on your DirPort. Now you ## can explain what Tor is if anybody wonders why your IP address is ## contacting them. See contrib/tor-exit-notice.html in Tor's source ## distribution for a sample. #DirPortFrontPage /etc/tor/tor-exit-notice.html
and change it to DirPort 443
3.) Post the script you are using to set the iptables rules, than we can modify this accordingly to your needs.
Kind regards, elrippo.
Am Sonntag, 13. Oktober 2013, 00:42:05 schrieb Tor Operator:
I’m running a Tor exit relay on ports 9030 for advertising directory connections and 9001 for advertising incoming Tor connections. In the spirit of proxy-proofing my relay, I’d like to expose the directory and Tor connections on 80 and 443. I’ve spent hours trying to get my iptables config correct, but never successfully.
I’m running CentOS 6 with SELinux enabled. Swap and /tmp are encrypted. SSH is set to public key auth only and limited to a single user. Root login is disabled, as is X11 forwarding. No other services are active and log retainment is set to a short interval. It’s a dedicated box in data center with a 100Mbit, unmetered networking connection. The box’s sole purpose in life is to be an exit node.
My current iptables looks like this:
# Generated by iptables-save v1.4.7 on Sat Oct 12 13:52:47 2013 *filter
:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j ACCEPT COMMIT
I tried adding the following rules without success:
iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 80 -j REDIRECT —to-ports 10091 iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 443 -j REDIRECT —to-ports 10090
There was also a binding issue due to Tor being blocked from binding to 10091 and 10090, which I fixed with semanage port. But the logs still indicated that the ORPort and DirPort were not reachable from the outside.
I think I’m missing some other key iptable routing directives, but I can’t figure them out. I want 80 and 443 publicly exposed, but 10091 and 10090 to not be accessible from the internet.
I’ve read countless FAQs, how-tos, message board posts, Linux books, the Tor mailing lists, and the answer still eludes me. It’s maddening. If anyone can provide any assistance, I’d be greatly appreciative.
If I’m running the directory connections on port 80, should I still setup a vhost on the relay with the exit notice or can I just point to it in the torrc file?
.cpj _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 2013-10-13 06:42, Tor Operator wrote:
My current iptables looks like this:
# Generated by iptables-save v1.4.7 on Sat Oct 12 13:52:47 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9030 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j ACCEPT COMMIT
What are the real listening ports of Tor?
I tried adding the following rules without success:
iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 80 -j REDIRECT —to-ports 10091 iptables -t nat -A PREROUTING -p tcp -i eth0 —dport 443 -j REDIRECT —to-ports 10090
These rules look ok, but if you use ports 10090/10091 you have to enable them too (not 9001/9030 like above):
iptables -A INPUT -p tcp -m tcp --dport 10090 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 10091 -j ACCEPT
Verify that Tor ist listening on the desired port:
'netstat -plnt|grep tor'
Check your 'torrc' for the following lines:
ORPort 443 ORListenAddress 0.0.0.0:10090 DirPort 80 DirListenAddress 0.0.0.0:10091
And - like elrippo said: the iptables policy shout be 'DROP':
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Check it out: 'iptables -L -nv'.
tor-relays@lists.torproject.org
-
elrippo -
Tor Operator -
Tschador