Use IPTables to force traffic through Tor?

Question

Just wondering, I am using Debian, I am wondering if I can make IPTables or a easier to use firewall drop all traffic but the traffic I allow (including DNS) goes through Tor. Can this be done?

I don't want to use Tails cause I need certain apps to save on the system and I am not into re-downloading them all over again, I can't use Whonix due to hardware limitation (and Qubes don't support my Wireless drivers).

I did try the tutorial on TorProject but the way the right their tutorials is way to confusing for me (I am a visual learner, haha O.o)

Possible duplicate of How to channel all traffic on Kali linux through Tor? — cacahuatl, Aug 10 '16 at 01:55
@canonizing-ironize I saw this one and going by the question I thought mine was a little different due to the fact I want all traffic dropped by default. — fgsrgg, Aug 10 '16 at 01:58
If you want to drop, rather than redirect to transproxy then you might want to use ferm.conf from Tails as a basis. (ferm is an iptables manager, it just lets you write more readable rulesets than raw iptables-save dumps) — cacahuatl, Aug 10 '16 at 02:02
@canonizingironize Saved everything to /etc/ferm/ferm.conf rebooted and nothing happened. How should I import it? — fgsrgg, Aug 10 '16 at 03:14
you'll need to install and enable ferm, sudo apt-get install ferm also check that it's not got tails specific stuff in there (e.g. users that do not exist on your system). it will need modification to suite your environment. — cacahuatl, Aug 10 '16 at 03:39

score 1 · Answer 1 · answered Aug 10 '16 at 04:12

First install ferm by running sudo apt-get install ferm

Use Tails' ferm.conf as a base and removing Tails' restrictions on localhost connections (you can add these back if required but a lot of them are based around Tails specific accounts which won't exist on your stock debian), then you'd create a ruleset like this:

domain ip {
    table filter {
        chain INPUT {
            policy DROP;
            mod state state (ESTABLISHED) ACCEPT;
            interface lo ACCEPT;
        }
        chain OUTPUT {
            policy DROP;
            mod state state (ESTABLISHED) ACCEPT;
            outerface lo ACCEPT;
            daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
                proto tcp dport domain REJECT;
                proto udp dport domain REJECT;
                ACCEPT;
            }
            mod owner uid-owner debian-tor {
                proto tcp syn mod state state (NEW) ACCEPT;
            }
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp-port-unreachable;
        }
        chain FORWARD {
            policy DROP;
        }
    }
    table nat {
        chain PREROUTING {
            policy ACCEPT;
        }
        chain POSTROUTING {
            policy ACCEPT;
        }
        chain OUTPUT {
            policy ACCEPT;
            daddr 127.192.0.0/10 proto tcp REDIRECT to-ports 9040;
            daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353;
        }
    }
}
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;
            interface lo  ACCEPT;
        }
        chain FORWARD {
            policy DROP;
        }
        chain OUTPUT {
            policy DROP;
            outerface lo ACCEPT;
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp6-port-unreachable;
        }
    }
}

Save this file to /etc/ferm/ferm.conf then issue sudo service ferm restart.

You may also wish to review the LAN OUTPUT section and further restrict this down to just DHCP traffic, for example from this:

            daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
                proto tcp dport domain REJECT;
                proto udp dport domain REJECT;
                ACCEPT;
            }

to this:

        daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
            proto udp dport 67 sport 68 ACCEPT;
        }

Use IPTables to force traffic through Tor?

1 Answers1

Linked