Hi people. I'm new with Tor and i'm very interested in this project.
I'm now being a relay, only acting as middleman (no exits). I would like to contribute more by having some services as exit. However i'm concerned about security. The machine i'm running as a relay is a pc in my home. From it, i have access to my router's web interface. The problem if i act as a exit for the port 80, would be that anyone can log into (or try to) my home router just by pointing to its ip address. Am i right?
I've thought about using iptables to block outgoing connection from the relay to my router using
iptables -A OUTPUT -d 192.168.15.1 -j DROP
Not sure that's the correct line to do that. It blocks ping requests but i still can access the web interface of my router from that pc. Can anyone help me here?
Thanks.
On Jul 4, 2011, at 9:19 PM, Tomas Sironi wrote:
Hi people. I'm new with Tor and i'm very interested in this project.
I'm now being a relay, only acting as middleman (no exits). I would like to contribute more by having some services as exit. However i'm concerned about security. The machine i'm running as a relay is a pc in my home. From it, i have access to my router's web interface. The problem if i act as a exit for the port 80, would be that anyone can log into (or try to) my home router just by pointing to its ip address. Am i right?
If the router interface is publicly accessible from the (outside) internet, then yes. If it's only available on the LAN, then no. By default tor blocks access to local address space, and I believe this is only not the case if it is set up as an exit enclave. For example, both of my routers have the following restrictions, even though I did not specify them in my torrc:
reject 0.0.0.0/8:* reject 169.254.0.0/16:* reject 127.0.0.0/8:* reject 192.168.0.0/16:* reject 10.0.0.0/8:* reject 172.16.0.0/12:* reject 97.102.75.60:*
I've thought about using iptables to block outgoing connection from the relay to my router using
iptables -A OUTPUT -d 192.168.15.1 -j DROP
Not sure that's the correct line to do that. It blocks ping requests but i still can access the web interface of my router from that pc. Can anyone help me here?
I believe what you want is the following:
# /sbin/iptables -A OUTPUT -p tcp -d 192.168.15.1 --dport 80 -j DROP # /sbin/service iptables save
Thanks for running an exit!
~Justin Aplin
No, my home router is only accessible from the LAN. So, if you are sure Tor really block the local address space, then i shouldn't need to use iptables. But i want to be sure first. I couldn't find anything about this in the online manual.
On Mon, Jul 4, 2011 at 11:31 PM, Justin Aplin japlin@gmail.com wrote:
On Jul 4, 2011, at 9:19 PM, Tomas Sironi wrote:
Hi people. I'm new with Tor and i'm very interested in this project.
I'm now being a relay, only acting as middleman (no exits). I would like to contribute more by having some services as exit. However i'm concerned about security. The machine i'm running as a relay is a pc in my home. From it, i have access to my router's web interface. The problem if i act as a exit for the port 80, would be that anyone can log into (or try to) my home router just by pointing to its ip address. Am i right?
If the router interface is publicly accessible from the (outside) internet, then yes. If it's only available on the LAN, then no. By default tor blocks access to local address space, and I believe this is only not the case if it is set up as an exit enclave. For example, both of my routers have the following restrictions, even though I did not specify them in my torrc:
reject 0.0.0.0/8:* reject 169.254.0.0/16:* reject 127.0.0.0/8:* reject 192.168.0.0/16:* reject 10.0.0.0/8:* reject 172.16.0.0/12:* reject 97.102.75.60:*
I've thought about using iptables to block outgoing connection from the relay to my router using
iptables -A OUTPUT -d 192.168.15.1 -j DROP
Not sure that's the correct line to do that. It blocks ping requests but i still can access the web interface of my router from that pc. Can anyone help me here?
I believe what you want is the following:
# /sbin/iptables -A OUTPUT -p tcp -d 192.168.15.1 --dport 80 -j DROP # /sbin/service iptables save
Thanks for running an exit!
~Justin Aplin
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, Jul 05, 2011 at 12:57:55AM -0300, Tomas Sironi wrote:
No, my home router is only accessible from the LAN. So, if you are sure Tor really block the local address space, then i shouldn't need to use iptables. But i want to be sure first. I couldn't find anything about this in the online manual.
Tor's default exit policy not only blocks "internal" address blocks (like 192.168.0/0/16), but it also blocks your public IP address by default too. See the ExitPolicyRejectPrivate line in your man page.
(You want to block the public IP address too, because when your relay tries to send traffic to the public IP address, your computer will actually route that traffic to the private version of the address.)
So the summary is that Tor has thought about exactly this issue and takes care of it for you automatically unless you disable the ExitPolicyRejectPrivate config option.
--Roger
I'm new with Tor and i'm very interested in this project. The problem if i act as a exit for the port 80... my home router
You are also likely to encounter problems with the copyright cartels, law enforcement at your door, etc. Be sure that your new interest includes reviewing and weighing those risks. The website and archives of this list can get you started.
tor-relays@lists.torproject.org
-
grarpamp -
Justin Aplin -
Roger Dingledine -
Tomas Sironi