Delivery-Date: Sat, 23 Aug 2014 14:44:09 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RCVD_IN_SORBS_WEB,RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 5892C1E0AB3;
	Sat, 23 Aug 2014 14:44:07 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 4CD0E2F35B;
	Sat, 23 Aug 2014 18:44:02 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8CEAD2E769
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 18:43:58 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ShHGSR-gcun2 for <tor-talk@lists.torproject.org>;
 Sat, 23 Aug 2014 18:43:58 +0000 (UTC)
Received: from server500gb.chello.at (unknown [212.186.51.184])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 4C6B72D56C
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 18:43:52 +0000 (UTC)
Received: from 127.0.0.1
 by server500gb.chello.at with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim latest) (envelope-from <elrippo@elrippoisland.net>)
 id 1XLGHe-0003oW-QA
 for tor-talk@lists.torproject.org; Sat, 23 Aug 2014 20:43:45 +0200
From: elrippo <elrippo@elrippoisland.net>
To: tor-talk@lists.torproject.org
Date: Sat, 23 Aug 2014 20:43:12 +0200
Message-ID: <1861083.FHXIePNLqr@zwergal-hp-pavilion-g6-notebook-pc>
In-Reply-To: <0e65e00908c7d3300489e412903ed1d4@ruggedinbox.com>
References: <0e65e00908c7d3300489e412903ed1d4@ruggedinbox.com>
MIME-Version: 1.0
X-SA-Exim-Rcpt-To: tor-talk@lists.torproject.org
X-SA-Exim-Mail-From: elrippo@elrippoisland.net
X-SA-Exim-Version: 4.2.1 (built Sun, 08 Jan 2012 03:05:19 +0000)
X-SA-Exim-Scanned: Yes (on server500gb.chello.at)
X-Elrippo-NOT-TRUSTED-Header: This is a verfication,
 that your message is handled by
 server500gb.chello.at
X-Elrippo-SMTP-Header: This is a verfication,
 that your message is handled by server500gb.chello.at
Subject: Re: [tor-talk] Tor TransparentProxy with iptables breaks
	connections ?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============4988336582412312536=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============4988336582412312536==
Content-Type: multipart/signed; boundary="nextPart4843786.Ujm8pVQpBf"; micalg="pgp-sha1"; protocol="application/pgp-signature"


--nextPart4843786.Ujm8pVQpBf
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"

Take a look at example f.) ->=20
https://elrippoisland.net/public/how_to/anonymity.html

> Hello again :)
>=20
> At https://ruggedinbox.com we are running a 'standard' email server,
> using postfix, dovecot, and so on ..
>=20
> The server is also able to receive and send emails to the onionland,
> thanks to Tor providing DNS resolution for onion addresses and 'unbou=
nd'
> for the clearnet.
>=20
> As you may know, the full setup needs some iptables magic, as documen=
ted
> in:
> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
> https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.htm=
l
> https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.htm=
l
>=20
> so we run the following rules:
> 1. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT
> --to-ports 9040
> 2. iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
> 3. iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m=

> tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
> 4. iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m=

> tcp --tcp-flags ACK,RST ACK,RST -j DROP
>=20
> but it looks like the third rule breaks connections: the mail client
> timeouts while checking POP mailboxes, randomly but very often.
>=20
>=20
> Do you think that is safe to discard the third and forth rules ?
> And if not, do you have other suggestions to be safe and prevent leak=
s ?
>=20
>=20
> Thank you very much for supporting,
> we look forward to publish all ruggedinbox's configuration as soon as=

> everything works ok
> (and perhaps a 'ruggedinbox distro')
> in order to have a starting base on which discuss and request for
> comments,
> which will help people to build their private email server, secure,
> spam-resistant and Tor-aware :)

=2D-=20
We don't bubble you, we don't spoof you ;)
Keep your data encrypted!
Log you soon,
your Admin
elrippo@elrippoisland.net

Encrypted messages are welcome.
0x84DF1F7E6AE03644

=2D----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd
BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb
UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+
B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5
Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R
9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs
e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9
jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h
q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z
+rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI
KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB
tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs
cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7
uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd
U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW
oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s
IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb
BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI
kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/
axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM
XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi
dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ
qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU
1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY
s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz
f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc
ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich
O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt
7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5
KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB
FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN
LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv
5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ
MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos
UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC
AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo
N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L
WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs
9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj
1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW
r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU
3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T
An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr
9czR7kbpnXRwchgwXQn306NVWf37TgA8wpbnFTazZ38iOeqcb9oKprqnbgEdr3PN
OhKSlMTkzAqf3MEi2Fyua4BADMhS3oBwCRgDTlt6wquEytpNSlZaHnyiyIgOpekF
Uy5K3w8NhHqeifRPrNb/UcCbXtXz+puqIEZHMenpv6FRlTTKpdoHoVXSkp1TPMGN
/VaCiLbP4Z3xEw/9EbAJJkhmmx1Qw3ueoqc4h1MmhUtIdxSZ/oA9SjwlnY++zvaZ
6w1wTS4P+OUkETNDtItdpxXMJ9qfSy9voAQc2K43WMZCCmpPJYSdqaZZNPFj+Ne8
6FNtNKuUkXREybpHwlVAXnHzInmFOOM9RAmF70r3zEmKt77W1ztBLo2o9X79gPgL
u9ThgrH6Oc2k46n+9nc3joccr7miiX/bp976DNWcWdOYThiSSOCb8Zw9/Zs935i1
wUVkYTj24tmBH4H5ov9ib7RPmU21ru458RbUKG0ONAqBtAHNyXHzUnXsrke+D4VW
MI06YcXSk8YeYgQ8GxgHQc+W2bb8LIbKN1hEYJ0wzM62vKR2/Oiwuf8lXutIKTuz
+v7Vj1PQd66DGHsxtWRaWnr1c54JTL2wICHJYKFH4grp7864+GL/uQ1O/Z/XxVku
E1JQ/AnwBGU1M1S6otwWGWVRjzEzQtxsfcCEPvV/9td3FIFQAbGTPb+48XFU+TY9
8AlcXBlDzXq7c5f8Evn/oSIsZDt63K4HNTmMGqOTl/p1aA0e4eyX76LczY06rDP5
GMSNs+AHmYgZiS4RYhRUIvS9uLXMnnDAMYst0SDl2orDUUeHBTzu0rchyknBZMGP
p5wQuWQ9CFlV+dj3UYbrBwC1lTkAMXRG2vlhA0V0TZqos7A5D4VHgSUQQjE=3D
=3DotlL
=2D----END PGP PUBLIC KEY BLOCK-----

--nextPart4843786.Ujm8pVQpBf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAABAgAGBQJT+ODHAAoJECRD3evZUNHrzkEP/AxcPQL2rl1+RassovyQIU6I
lEXYNnzwksPmVzd2nX/+DLiDKe9Ff597qRBfODN+Dtw98h3GsCmPBBqqWTFPkN8R
KxBs4Luq71PSt8RcRxFnTNu0GfFFLANb5XxGqeCtbvOTv9uIO9O0UM8tCu9EvDPn
N6NrBLXYUOuYWQ1esLPFwBQnLlYHsbiCKqLl4LBXwPqfkqVlUL2AKNh4prdKznqE
wwZ/IWl7dTsH1ddmAHf9tus4Is6bsA1VztPNSjMXf8V1qRIW0Yewmx3dvySE4mcC
1YjjT61+XN+2dCL3ljvElSFzgMT3r1DL4X7m4dIQHLJE03KjVsRovnw+OwKCOCjm
7inD0Rrcl+lbsfMwhbFiKXLE2DVZOHRbTzlo78Gtd1HbKu0Ino4KPMrbstL3SYzz
+Aqb9CLkKlr48W5314ZpqzFE/Gi+WeIi1Vt34VYdnGr0Q/cy7jyXJuaf5r2JDZ87
QOnTEvDQBoV4XSdHbodlNOFS5JYMLN0pt3hlciLwzZK8hfaYbNf0zCATmd8a3CuF
ejnHYpLlqZzO2jLWzZYqOhO0v5elTy41Gf8mRtKu11auElD0ov8eIaSYv7yKBCFP
IXqQxSaQiJ/gi6TIvE9iBaiL45Vqk0FFFKQFyBlAEOVr1SxRXooyR6EuljgPtrL2
NePH611Z8yl/6o25DO2c
=Ibnt
-----END PGP SIGNATURE-----

--nextPart4843786.Ujm8pVQpBf--


--===============4988336582412312536==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============4988336582412312536==--

