This gist blocks incoming traffic from
Tor exit nodes. You can also use it to
MARK or redirect the incoming traffic, depending of your needs.
This guide is for IPv4 only, feel free to contribute IPv6 support if you have it.
Deploy generate_tor_exit_ipset to /opt and tor_block.service and
tor_block.timer to /etc/systemd/system.
Create empty ipset called tor_exit. If you use
netfilter-persistent you can add the following line to
/etc/iptables/ipsets:
create tor_exit hash:ip family inet hashsize 1024 maxelem 65536
Reload systemd and then enable and start the timer:
systemctl daemon-reload
systemctl enable tor_block.timer
systemctl start tor_block.timerAdd the filter rule to your firewall, e.g. in iptables:
iptables -N TORDROP
iptables -A TORDROP -m state --state RELATED,ESTABLISHED -j RETURN
iptables -A TORDROP -m set --match-set tor_exit src -j REJECT --reject-with icmp-host-prohibited
iptables -I INPUT 1 -j TORDROP
To keep your rules after reboot, use iptables-persistent or similar tool.
The objective of this script is not to prevent Tor users from accessing information. My goal is minimize the attack surface to my services and/or marking Tor traffic to detect scamming attempts and so. Please don't use it to prevent information sharing and consider serving your content using a hidden service (onion address) in addition to public Internet.
Joel Lehtonen. Feel free to support me on Github.
Some ideas are borrowed from jkullick's gist, thanks!