Restrict firewall by port and host

Question

What is a list of host/port combinations to get the onion proxy (a.k.a. the Tor client) working securely?

This is about host/port combinations, not simply ports, as already described in the FAQ.

An example would be:

Tor needs to connect to localhost (127.0.0.1) at port 9150. And (made up IP-address) to a relay (123.123.123.45) at port 9001.

So that for example iptables could be told,

iptables -A OUTPUT -d 127.0.0.1 --dport 9150 -m owner --uid-owner toruser -j ACCEPT
iptables -A OUTPUT -d 123.123.123.45 --dport 9001 -m owner --uid-owner toruser -j ACCEPT

Answer 1

How to create a list

You can tell the firewall to log failed connections. For example in Linux

iptables -A OUTPUT -j LOG --log-prefix "OUTPUT: " --log-uid

as the last rule will log all dropped packets (with a DROP policy).

Then, you could block all outgoing connections by all users via (for iptables)

iptables -P OUTPUT DROP

then create port-based files, f.ex. tor-80 containing all tor-connections (by that user) to port 80, and finally do a

for i in $(cat tor-80); do 
    iptables -I OUTPUT 3 -p tcp -d $i --dport 80 -m owner --uid-owner toruser -j ACCEPT; 
done

for each port-based file (the 3 in above command should be before your logging rule).

As you see more blocked attempts by that user, you can allow further host/port combinations, yet it got the bundle to work several times in a row without alteration on separate days. This stability is to be expected, as the guard nodes should be chosen by availability (among other criteria).

A better approach might be to get a list of all relays as hinted in this SO answer, filtering by guard and directory and adding all of these.

Feel welcome to post if you know how.