I am trying to configure nftables rules for ProxyChains-over-Tor, so that:
My system --> Tor SOCKS5 proxy --> HTTP proxy --> Internet
- My system can only communicate with Tor SOCKS5 proxy
- Tor SOCKS5 proxy can only communicate with my system and the HTTP proxy
- The HTTP proxy can only communicate with Tor SOCKS5 proxy and the Internet
- The Internet can only communicate with the HTTP proxy
I see from this article that the correct nftables rules to block everything except Tor access is:
chain output {
ip daddr 127.0.0.1 tcp dport 9050 accept
reject
}
That works for Tor alone, however, it gets a bit confusing when a further proxy is involved.
Currently I have the following nftables rules for this scenario:
chain output {
ip daddr 127.0.0.1 tcp dport 9050 accept
ip daddr 127.0.0.1 tcp dport 9050 tcp sport {proxy_port} ip saddr {proxy_ip} accept
reject
}
Is this simple change enough to enforce the restrictions mentioned above? Or do I need to introduce a more complex setup with input/forward chains in my rule configuration to prevent my system from communicating directly with the proxy (or directly with the Internet)?
I would appreciate any guidance, suggestions, or example configurations to achieve the correct nftables rules for ProxyChains-over-Tor. Thank you in advance!
