- Endchan Magrathea

とちゃき
5/30/2021 04:07:00 No. 158562 [Open] [Reply] report
#!/bin/sh

iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT DROP

# ---

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j DROP

# ---

iptables -A FORWARD -j DROP

# ---

iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT

iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

for special_addr in '255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'; do
	iptables -A OUTPUT -d $special_addr -j DROP
done

iptables -A OUTPUT -j DROP

# ---

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'

iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner debian-tor --syn -j RETURN
iptables -t nat -A OUTPUT -o lo -j RETURN

for special_addr in '255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'; do
	iptables -t nat -A OUTPUT -d $special_addr -j RETURN
done

iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'

# ---

ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT DROP
ip6tables -A INPUT -j DROP; ip6tables -A FORWARD -j DROP; ip6tables -A OUTPUT -j DROP

# ---

{
	echo DNSPort 127.0.0.1:9053
	echo AutomapHostsOnResolve 1
	echo AutomapHostsSuffixes .onion
	echo
	echo TransPort 127.0.0.1:9040
	echo VirtualAddrNetwork 10.192.0.0/10
} > /etc/tor/torrc

# ---

systemctl restart tor

# ---

exit 0