lubuntu 22.04 LTS 上 Tor 流量输入时的 iptabels 防火墙规则

lubuntu 22.04 LTS 上 Tor 流量输入时的 iptabels 防火墙规则

我有 lubuntu 22.04 LTS 和 TOR 守护进程以及 torrc 配置

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 9053

和 iptables 规则

#exclude locals
TOR_EXCLUDE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"

#tor uid
TOR_UID="debian-tor"

#tor socks port
TOR_PORT="9040"

#tor dns port
TOR_DNS="9053"


iptables -F
iptables -X
iptables -t nat -F


iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


#set iptables nat
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
#set dns redirect
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports $TOR_DNS
iptables -t nat -A OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports $TOR_DNS
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports $TOR_DNS


#exclude locals
for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do
  iptables -t nat -A OUTPUT -d $NET -j RETURN
  iptables -A OUTPUT -d "$NET" -j ACCEPT
done

for NET in $TOR_EXCLUDE 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
done


# redirect all other output through tor
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT
iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT
iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT


# allow only tor output
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT


# accept already established connections
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT                                 
#iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

所以问题出在最后两条规则上

#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

没有任何规则起作用,因此无法接受输入流量,这是通过将默认输入规则从降低接受一切不安全的东西

无法真正理解问题和解决方案

而且 #exclude locals 部分让我对这两个条件感到困惑

谢谢

相关内容