Tuesday, June 25, 2013

Locking down your Tor usage

Due to increased interest, I figure I should post about this in a more public area.

Problem statement : "I worry that unintended data is leaking from my machine while I'm using Tor."

The solution : Using iptables to block all data exiting the machine that is not coming from the Tor daemon.

The way that I do this is by creating a simple script in my home directory called "torlock.sh".  This file contains the following lines:

sudo iptables -F
sudo iptables -I OUTPUT -o wlan0 -m owner ! --uid-owner debian-tor -j REJECT

This assumes a few things.

  1. You are on a Linux box with iptables.
  2. The local tor server is running as the user "debian-tor".
  3. You are connected to the internet through the wlan0 interface.
  4. You don't already have complex iptables rules in place.
  5. You are using the standard tor daemon, without vidalia, privoxy, or the browser bundle.

This will work out of the box for anyone on Ubuntu or Debian who installed it via the supported PPAs.

To get this working with the browser bundle, I first set a password for the debian-tor user, made sure the home directory was set to /var/lib/tor , and then installed the browser bundle there.  Then, when I want to run the browser bundle, I first run the ./torlock.sh script, then run "su debian-tor".  At that point, I can connect to anything using tor, and no traffic from my admin user, or even from root, can exit the box.  Any scripts or tools you're using should be run as your regular user, and you are guaranteed that they will only be able to touch the internet through tor.


  1. I just run over this site which I thought that it was great. It looked fascinating and I chose to investigate each substance and I read yours. My compliment about this blog is exceptionally positive I visit this blog first time and inspire by this good stuff work. Incredible post keeps up posting such great information. If you like to travel then you can use munnar call taxi for a trust worthy travel.

  2. They were flexible with their times to minimise any inconvenience to the day to day running of our business. Locksmiths proved themselves to be professional, reliable and totally honest. We would be happy to recommend them to any business. we remain a family owned business. Our objective is to provide prompt, professional, and courteous service in the security field. We specialize in servicing flat rate lock n key denver

    residential, commercial, high security and some automotive needs. We also service and sell safes as well as electronic locking devices. Please visit our products page to explore some of the product lines we have available.

  3. Once the insurance employment is depended to the best administration in London, you can thoroughly depend on them and guarantee that your security is ensured. When you need to contract a security for an occasion, or a body monitor for your VIP's or for security to homes and workplaces, hunt down an administration that will render finish wellbeing for the cash they are being paid. https://how-to-remove.org/malware/ransomware-removal/fbi-virus/

  4. It is very interesting and useful post.Here is more informative information.I really enjoy to reading this article.Thanks for sharing with us. Eukhost Coupons

  5. Hi, Myself Mytravelshanti- India Tour or travel :: I Like your Blog post. India Tour Packages
    Travel To India

  6. Thank you for helping me solve the problem. Gonna try it immediately.
    dog breeds

  7. This good information about Security because in these days this is need everyone so this Content is very nice.
    Travel to India

  8. This is good blog about Security purpose writing because in these days everyone need so this Content is very fine.
    best Deals,and Upcoming Event

  9. good content writing about Security purpose because in these days everybody keep sophisticated security.
    Kerala Package
    Kerala Ayurveda Package

  10. New locksmiths service here: Locksmith Baltimore what can you tell me about this information? It was interesting for you? Any help are possible if you send me email. Thanks in advance!