Jump to content
Not connected, Your IP: 3.138.175.166
Sign in to follow this  
userr1980

Setup iptables to drop non tor/vpn packets while using Air over Tor?

Recommended Posts

The setup is: Air over TBB (Tor browser bundle)

(Running TBB First, then airvpn over Tor)

 

Is it possible to setup iptables in a way to drop any non vpn packets when connected Air over Tor?

Or maybe drop any non tor & vpn packets?

 

Share this post


Link to post

You might want to drop all non Tor traffic on your main eth0 interface, or force anything that is trying to "escape" still go via Tor.

Then when you get tun0 up, you don't need to worry about non-vpn traffic if you set it up as your default gateway.

 

 

cat > /etc/iptables/iptables.rules << __IPTABLES__
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [64:3712]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
__IPTABLES__


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Sorry i forgot to mention i'm using debian wheezy. I'm having trouble setting up the iptables from above in a bash script file.

 

i tried setting it up like this:

 

#!/bin/bash

iptables --flush

#nat

iptables -A PREROUTING -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
iptables -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053

#filter

iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

 

when the script is run it returns 'iptables: No chain/target/match by that name.'

any suggestions? thanks for your reply btw

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...