Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: routing all system traffic through tor with iptables (Read 692 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

routing all system traffic through tor with iptables

I'm trying to route all my system's traffic through tor using Archwiki guide. So I created a  ~/.torrc file containing this:
Code: [Select]
SOCKSPort 9050
DNSPort 5353
TransPort 9040
and changed my default iptables rules in the /etc/iptables/ directory. (both iptables.rules and ip6tables.rules):

Code: [Select]
*nat
:PREROUTING ACCEPT [6:2126]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [17:6239]
:POSTROUTING ACCEPT [6:408]

-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -o lo -j RETURN
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN
-A OUTPUT -m owner --uid-owner "tor" -j RETURN
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
--ipv6 -A INPUT -j REJECT
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
--ipv6 -A OUTPUT -j REJECT
COMMIT
I run these commands (no errors):
Code: [Select]
iptables-restore /etc/iptables/iptables.rules
ip6tables-restore /etc/iptables/ip6tables.rules
But after reboot, I cannot ping any website and have not internet connection (4.2.2.4 or 8.8.8.8 are unreachable). Am I missing something here?
I run artix-runit and tor, iptables, and ip6tables services are enabled.
In my other system with arch linux I use archtorify for this purpose but it doesn't work in artix. I also used orjail for a while (running sudo orjail APPLICATION in the terminal) but since couple of days ago it has stopped working and I get timeout errors when using it.
I can connect with tor-browser.

Re: routing all system traffic through tor with iptables

Reply #1
Look if you are using nftables backend
Code: [Select]
iptables -V
iptables v1.8.8 (nf_tables)
and if so, remove nftables and replace it with plain iptables.

If that doesn't fix it, these iptables commands look simple enough to convert to nftables, you'll just have to pad a few more commands at the beginning but it should take less than half an hour to get them to work. I had some strange bugs with the legacy xtables myself these last few months so it's worth trying too.
 

Re: routing all system traffic through tor with iptables

Reply #2
Right now it's just legacy iptables:
Code: [Select]
❯ iptables -V
iptables v1.8.8 (legacy)

Ok I'll try nftables