Jeff M Belt

© 2018 - All Rights Reserved

Blocking TOR with IPTables

TOR is great for those wanting to browse the web anonymously, however if you are in an organization which needs to reduce the risk people are doing things they shouldn't, then blocking TOR is probably a good idea. While I don't support this, and feel that privacy and equality are paramount in today's online world, I understand the need to balance risk with privacy when working with private organizations which need to reduce their legal risk exposure. To that end, and only to that end, here is one way. It may not be 100% foolproof, and I am ok with that too. Just like the lock on your home only keeps the innocent, innocent. The thief who wants to get in, will still get in.

​

Create the following script

​

#!/bin/sh

​

# Delete tor list if it already exists

if [[ -f /tmp/tor.$$ ]]; then

  rm -f /tmp/tor.$$

fi

​

# get a list of Tor exit nodes 

wget https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv -O /tmp/tor.$$

​

# Assuming we got a download, start looping the list and blocking the 'source' and 'destination' communications to the TOR IP

if [[ -f "/tmp/tor.$$" ]]; then

  for i in `cat /tmp/tor.$$`; 

  do

    # add each IP address to the new set, silencing the warnings for IPs that have already been added

    echo "Blocking: $i"

    iptables -A INPUT -s "$i" -j DROP

    iptables -A INPUT -d "$i" -j DROP

  done

fi

​

rm /tmp/tor.$$

        

Create a CRON job

​

# crontab -l > /tmp/a

# echo "23 1 * * * /path/to/block-tor.sh" >> /tmp/a

# crontab /tmp/a

# rm /tmp/a