Tuesday, June 25, 2013

Locking down your Tor usage

Due to increased interest, I figure I should post about this in a more public area.

Problem statement : "I worry that unintended data is leaking from my machine while I'm using Tor."

The solution : Using iptables to block all data exiting the machine that is not coming from the Tor daemon.

The way that I do this is by creating a simple script in my home directory called "torlock.sh".  This file contains the following lines:

sudo iptables -F
sudo iptables -I OUTPUT -o wlan0 -m owner ! --uid-owner debian-tor -j REJECT

This assumes a few things.

  1. You are on a Linux box with iptables.
  2. The local tor server is running as the user "debian-tor".
  3. You are connected to the internet through the wlan0 interface.
  4. You don't already have complex iptables rules in place.
  5. You are using the standard tor daemon, without vidalia, privoxy, or the browser bundle.

This will work out of the box for anyone on Ubuntu or Debian who installed it via the supported PPAs.

To get this working with the browser bundle, I first set a password for the debian-tor user, made sure the home directory was set to /var/lib/tor , and then installed the browser bundle there.  Then, when I want to run the browser bundle, I first run the ./torlock.sh script, then run "su debian-tor".  At that point, I can connect to anything using tor, and no traffic from my admin user, or even from root, can exit the box.  Any scripts or tools you're using should be run as your regular user, and you are guaranteed that they will only be able to touch the internet through tor.