[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Yet another UDP / DNS quiestion...



On Sun, 2011-02-13 at 15:41 +0100, tagnaq wrote:
> On 02/13/2011 03:20 PM, Tomasz Moskal wrote:
> > Do I have to use AutomapHostsOnResolve 1 as well? Seems to be
pointless
> > without defining AutomapHostsSuffixes.
> 
> No it is not pointless because also if you do not use
> AutomapHostsSuffixes in your config ".exit" and ".onion" are
> AutomapHostsSuffixes per default.
> 
> > One more question: will those rules route all UDP traffic to port 53
or
> > just DNS requests? What will happen with UDP not relating to DNS?
> 
> The UDP rules in the LocalRedirectionThroughTor section:
>
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy#LocalRedirectionThroughTor
> 
> redirect only UDP packets with destination port 53 (usually DNS
> requests) to the DNSPort. All other outgoing UDP traffic is
> blocked/rejected with the last rule:
> iptables -A OUTPUT -j REJECT
> 
> The penultimate rule:
> iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
> would allow a program running with the $TOR_UID to send UDP traffic.
> 
> I will suggest to add -p tcp to that rule.
> 
> 
>
***********************************************************************
> To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
> unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/


OK, so to wrap it all up last (hopefully!) couple of questions...

iptables script/rules set:

#!/bin/sh

# the UID Tor runs as
TOR_UID="109"

iptables -F
iptables -t nat -F

# Redirects DNS traffic to the local port 53
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53

# Allow a program running with the $TOR_UID to send UDP traffic
iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT

# Block/reject all outgoing UDP traffic
iptables -A OUTPUT -j REJECT


And for the questions:

On my machine Tor seems to have different UID after each restart (at
least this is what "ps -A | grep -w tor" tells me). How I can force it
to use always the same UID? According to this thread
<http://ubuntuforums.org/showthread.php?t=800066a> I can't change it
when Tor is already running so my guess is I should force it to use
chosen UID before it will even start.

I couldn't find (man iptables) nothing about "-m owner" - should I
replace owner with my login or it is to match Tor through --uid-owner
$TOR_UID?

Will the last rule, blacking all outgoing UDP traffic, means that
applications which depends on it won't work? I'm running Wireshark now
and by filtering it to show just UDP traffic I can see (among other
confusing things) that Dropbox is using UDP for "Dropbox LAN sync
Discovery Protocol". Am I correct in thinking that implementing the rule
in question means that Dropbox (and other UDP-dependant applications)
will stop working or have "crippled" functionality? 

I probably should mention that I'm running Dropbox by "usewithtor" and
my torrc contain those two rules:
SocksPort 9050
SocksListenAddress 127.0.0.1

-- 
Tomasz Moskal <ramshackle.industries@xxxxxxxxx>
Encrypted mail preferred. Key ID: 2C323C82



Attachment: signature.asc
Description: This is a digitally signed message part