Results 1 to 6 of 6

Thread: Which IPTABLES are correct for using APT with a socks proxy?

  1. #1
    Join Date
    Apr 2021
    Beans
    21

    Question Which IPTABLES are correct for using APT with a socks proxy?

    Hey guys!

    Which IPTABLES are correct for using APT with a socks proxy? (with connection tracking)

    This?

    iptables -A OUTPUT -s 127.0.0.1/8 -p tcp -m tcp --sport [PORT] -m conntrack --ctstate ESTABLISHED -j ACCEPT

    or?

    iptables -A OUTPUT -d 127.0.0.1/8 -p tcp -m tcp --dport [PORT] -m conntrack --ctstate ESTABLISHED -j ACCEPT


    I am a bit confused with -sport/-dport rules (INPUT/OUTPUT) for this scenario.

    Only OUTPUT or INPUT rules, or both?

    It would be nice if you could tell me which iptables rule is correct/wrong for my scenario with APT (APT updates via a socks proxy).

    If applicable, please post here the correct iptables rules for this APT scenario (APT updates via socks proxy).

    Thanks all!

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,699

    Re: Which IPTABLES are correct for using APT with a socks proxy?

    Whether you need to add ACCEPT to OUTPUT rules, INPUT rules or both depends on what you have already configured, because by default nothing is blocked.
    It is common practice to allow all processes on the box to talk to all other processes on the same box via the loopback address.
    Code:
    iptables -A INPUT -i lo -J ACCEPT
    You also need to add an OUTPUT clause if you chose to block outgoing traffic as well.
    The nice thing about this is that it covers all protocols and the port number question goes away.

  3. #3
    Join Date
    Apr 2021
    Beans
    21

    Re: Which IPTABLES are correct for using APT with a socks proxy?

    some rules at my iptables:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    Last edited by han85; March 11th, 2022 at 05:52 PM.

  4. #4
    Join Date
    Apr 2021
    Beans
    21

    Re: Which IPTABLES are correct for using APT with a socks proxy?

    I would like to have

    iptables -A OUTPUT -o lo -j DROP

    and then add some iptables OUTPUT @ lo rules myself with conntrack.

    would it work like this?

    iptables -A OUTPUT -o lo -j DROP
    iptables -A OUTPUT -s 127.0.0.1/8 -p tcp -m tcp --sport [PORT] -m conntrack --ctstate ESTABLISHED -j ACCEPT

    or this?
    iptables -A OUTPUT -o lo -j DROP
    iptables -A OUTPUT -d 127.0.0.1/8 -p tcp -m tcp --dport [PORT] -m conntrack --ctstate ESTABLISHED -j ACCEPT


    what still irritates me is

    --dport / --sport rules.

    if I want to use loopback e.g. with socks proxy via 't o r' as single rule irritates me
    -s 127.0.0.1/8 ... --sport [PORT]
    or
    -d 127.0.0.1/8 ... --dport [PORT]

    To understand, Socks Proxy runs on loopback and connects to the 't o r' network via OUTPUT rule [PORT] to use Apt Updates over it.then it should be from the iptables rule:

    iptables -A OUTPUT -d 127.0.0.1/8 -p tcp -m tcp --dport [PORT] -m conntrack --ctstate ESTABLISHED -j ACCEPT

    This -s 127.0.0.1/8 and --sport [PORT] iptables rule would be wrong which I posted here for my scenarion, right?

    -s (SOURCE) + (SOURCE-PORT) is used for INPUT rules when someone wants to connect to my PC from outside e.g. via the 't o r' network, did I understand that correctly or am I wrong?

    when -s (SOURCE) + (SOURCE-PORT) rule?
    when -d (DESTINATION) + (DESTINATION-PORT) rule?

    If you had a moment to explain it to me in a simple and understandable way I would be grateful and happy.
    Last edited by han85; March 11th, 2022 at 05:56 PM.

  5. #5
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,699

    Re: Which IPTABLES are correct for using APT with a socks proxy?

    Why on earth do you want to prevent processes on the PC communicating with each other? Lots of things will break.
    You can't block based on source port - the source port is always a random number.

  6. #6
    Join Date
    Apr 2021
    Beans
    21

    Re: Which IPTABLES are correct for using APT with a socks proxy?

    For the reason of security purposes

    My created thread can be considered EDITED.

    Have now got it done.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •