A short one, probably.
Iptables is fun tool to learn. But something that wasn't fun to learn was realizing certain information required a specific search phrase, in this case 'iptables tor hidden service'. Think of it: there are things I have wanted to know about but because I wasn't sure how to phrase the search or because I was unfamiliar with the lingo (and thus was completely unable to search for it albeit in vague terms) I had to pass on it or come up with my own idea on how to implement it. Sad!
Anyway, here is a* recipe for getting your hidden service to work with iptables:
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner tor iptables -A INPUT -p tcp --dport 9001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 9001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 9050 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 9050 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 9060 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 9060 -m conntrack --ctstate ESTABLISHED -j ACCEPT
In this set of instructions... port 9060 is the socks port that my hidden service is listening on. I've separated my relay from my hidden service because the relay hits the cap often. I'll just assume you know how to work out the rest on your own! :)
jake on 2021-04-04,15:24:00 said:
If you have an eepsite, it might be helpful to have: iptables -A OUTPUT -j ACCEPT -m owner --uid-owner ip2d Unfortunately there does not seem to be a way to add input, and thinking about it, how can there be?slackcero on 2021-09-02,01:30:57 said:
There is no firewalling for the tor network. You need to check the way that you are accessing your tor services. ...You must access them via the tor network. You can do that from the same machine , or otherwise *provided* that that machine or otherwise are connected to the tor network. Peace.Jake on 2021-09-02,03:47:13 said:
slackcero, I am now realizing that I left out important detail in this blog post where I was actually reject all incoming and outgoing connections and I had to specifically whitelist these. I'll make an edit to reflect this one day. Thanks for visiting! :)Joker on 2021-12-30,17:10:03 said:
Have you looked into nftables? If anything, it has a simpler syntax than iptables.Jake on 2021-12-30,20:33:36 said:
I havent' but I found that ufw is simpler than iptables. I really really like FreeBSD' PF (packet filter) that just makes sense to me
Be sure to submit your thoughts! Emoji Ledger (hover mouse over)!