-
Notifications
You must be signed in to change notification settings - Fork 2
/
iptables.ipv4.nat
33 lines (33 loc) · 1.5 KB
/
iptables.ipv4.nat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Generated by iptables-save v1.4.14 on Tue Sep 15 22:13:58 2015
*nat
:PREROUTING ACCEPT [316:42846]
:INPUT ACCEPT [249:14842]
:OUTPUT ACCEPT [73:5772]
:POSTROUTING ACCEPT [8:1297]
# Ignore outgoing traffic on local networks
-A PREROUTING -i wlan0 -p tcp -d 192.168.0.0/24 -j RETURN
-A PREROUTING -i wlan0 -p tcp -d 192.168.12.0/24 -j RETURN
-A PREROUTING -i wlan0 -p tcp -d 127.0.0.1 -j RETURN
# Redirect everything trough TOR except some protocols
-A PREROUTING -i wlan0 -p tcp -m multiport ! --dports 135,139,445,2049 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
# Redirect forwarded DNS traffic through our DNS server to avoid leaks
-A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53
# Redirect all DNS traffic through TOR
#-A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 9053
# Enable masquerading on eth0
-A POSTROUTING -o eth0 -j MASQUERADE
#-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.3
COMMIT
# Completed on Tue Sep 15 22:13:58 2015
# Generated by iptables-save v1.4.14 on Tue Sep 15 22:13:58 2015
*filter
:INPUT ACCEPT [5371:2475476]
:FORWARD ACCEPT [6856:4484036]
:OUTPUT ACCEPT [4669:2392470]
# Prevent certain types of TOR leaks
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
-A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
COMMIT
# Completed on Tue Sep 15 22:13:58 2015