Delivery-Date: Sat, 23 Aug 2014 14:37:18 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 209AA1E045F;
	Sat, 23 Aug 2014 14:37:16 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 51F762FFB9;
	Sat, 23 Aug 2014 18:37:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id B06162FF9E
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 18:37:08 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id jI-ksPMfja6N for <tor-talk@lists.torproject.org>;
 Sat, 23 Aug 2014 18:37:08 +0000 (UTC)
Received: from ruggedinbox.com (ruggedinbox.com [94.156.77.238])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 758E72FF81
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 18:37:08 +0000 (UTC)
Mime-Version: 1.0
Date: Sat, 23 Aug 2014 18:36:35 +0000
From: ml@ruggedinbox.com
To: tor-talk@lists.torproject.org
Message-ID: <0e65e00908c7d3300489e412903ed1d4@ruggedinbox.com>
X-Sender: ml@ruggedinbox.com
Subject: [tor-talk] =?utf-8?q?Tor_TransparentProxy_with_iptables_breaks_co?=
 =?utf-8?q?nnections_=3F?=
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hello again :)

At https://ruggedinbox.com we are running a 'standard' email server, 
using postfix, dovecot, and so on ..

The server is also able to receive and send emails to the onionland, 
thanks to Tor providing DNS resolution for onion addresses and 'unbound' 
for the clearnet.

As you may know, the full setup needs some iptables magic, as documented 
in:
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html

so we run the following rules:
1. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT 
--to-ports 9040
2. iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
3. iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m 
tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
4. iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m 
tcp --tcp-flags ACK,RST ACK,RST -j DROP

but it looks like the third rule breaks connections: the mail client 
timeouts while checking POP mailboxes, randomly but very often.


Do you think that is safe to discard the third and forth rules ?
And if not, do you have other suggestions to be safe and prevent leaks ?


Thank you very much for supporting,
we look forward to publish all ruggedinbox's configuration as soon as 
everything works ok
(and perhaps a 'ruggedinbox distro')
in order to have a starting base on which discuss and request for 
comments,
which will help people to build their private email server, secure, 
spam-resistant and Tor-aware :)
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

