Setup iptables to drop non tor/vpn packets while using Air over Tor?

The setup is: Air over TBB (Tor browser bundle)

(Running TBB First, then airvpn over Tor)


Is it possible to setup iptables in a way to drop any non vpn packets when connected Air over Tor?

Or maybe drop any non tor & vpn packets?


You might want to drop all non Tor traffic on your main eth0 interface, or force anything that is trying to "escape" still go via Tor.

Then when you get tun0 up, you don't need to worry about non-vpn traffic if you set it up as your default gateway.



cat > /etc/iptables/iptables.rules << __IPTABLES__
-A PREROUTING -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053

:OUTPUT ACCEPT [64:3712]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

Sorry i forgot to mention i'm using debian wheezy. I'm having trouble setting up the iptables from above in a bash script file.


i tried setting it up like this:



iptables --flush


iptables -A PREROUTING -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
iptables -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053


iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable


when the script is run it returns 'iptables: No chain/target/match by that name.'

any suggestions? thanks for your reply btw

