#!/bin/bash IPTABLES=/sbin/iptables TOR_UID=`id -u debian-tor` NETWORK_USER_ID=1000 # Clear existing rules $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -t nat -F ## Transproxy rules for Tor $IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 | exit $IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5300 || exit # First rules in OUTPUT chain #iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP # Allow Tor and the network user $IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit $IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT $IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit $IPTABLES -A OUTPUT -j DROP || exit # Create INPUT firewall. Allow established connections and transproxy $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit $IPTABLES -A INPUT -i lo -j ACCEPT # Transproxy output comes from lo $IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit $IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit $IPTABLES -A INPUT -j DROP || exit