Blog indexRolling🥎blogPermalink

iptables, tor, hidden service

Jake Thoughts29 Mar 2021 07:07:47 -0400 *EDITED March 30 2021 (rephrase)

A short one, probably.

Iptables is fun tool to learn. But something that wasn't fun to learn was realizing certain information required a specific search phrase, in this case 'iptables tor hidden service'. Think of it: there are things I have wanted to know about but because I wasn't sure how to phrase the search or because I was unfamiliar with the lingo (and thus was completely unable to search for it albeit in vague terms) I had to pass on it or come up with my own idea on how to implement it. Sad!

Anyway, here is a* recipe for getting your hidden service to work with iptables:

iptables -A OUTPUT -j ACCEPT -m owner --uid-owner tor
iptables -A INPUT -p tcp --dport 9001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 9050 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9050 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 9060 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9060 -m conntrack --ctstate ESTABLISHED -j ACCEPT

In this set of instructions... port 9060 is the socks port that my hidden service is listening on. I've separated my relay from my hidden service because the relay hits the cap often. I'll just assume you know how to work out the rest on your own! :)


For more information: iptables tutorial, arch wiki, linux questions forum. * There are more than just one way to do something. If anyone knows what ports Tor actually binds to when going outbound please let me know.

Other thoughts

jake on 2021-04-04,15:24:00 said:

If you have an eepsite, it might be helpful to have: iptables -A OUTPUT -j ACCEPT -m owner --uid-owner ip2d Unfortunately there does not seem to be a way to add input, and thinking about it, how can there be?

slackcero on 2021-09-02,01:30:57 said:

There is no firewalling for the tor network. You need to check the way that you are accessing your tor services. ...You must access them via the tor network. You can do that from the same machine , or otherwise *provided* that that machine or otherwise are connected to the tor network. Peace.

Jake on 2021-09-02,03:47:13 said:

slackcero, I am now realizing that I left out important detail in this blog post where I was actually reject all incoming and outgoing connections and I had to specifically whitelist these. I'll make an edit to reflect this one day. Thanks for visiting! :)

Joker on 2021-12-30,17:10:03 said:

Have you looked into nftables? If anything, it has a simpler syntax than iptables.

Jake on 2021-12-30,20:33:36 said:

I havent' but I found that ufw is simpler than iptables. I really really like FreeBSD' PF (packet filter) that just makes sense to me


Be sure to submit your thoughts! Emoji Ledger (hover mouse over)!