Sometimes you may want to sacrifice some security for convenience, and use a lighter setup for tor usage instead of going for a heavy-weight solution like Whonix.

In this post we limit a Linux user account to only using tor to connect outside.

The examples are for Debian Stretch and assume you have already set up tor with a SocksPort , and created a user account.

Blocking everything except tor

The following nftables rules can be used to be block everything except tor access. Add them to /etc/nftables.conf :

table inet filter { chain output { meta skuid username ip daddr 127.0.0.1 tcp dport 9050 accept meta skuid username reject } }

If you use iptables , you can use -m owner --uid-owner username for the rules.

Restart nftables.service :

$ sudo systemctl restart nftables

After this verify that neither DNS nor ping works:

username$ host www.google.com ../../../../lib/isc/unix/net.c:581: sendmsg() failed: Operation not permitted ../../../../lib/isc/unix/net.c:581: sendmsg() failed: Operation not permitted username$ ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. From 123.123.123.123 icmp_seq=1 Destination Port Unreachable ping: sendmsg: Operation not permitted --- 8.8.8.8 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

Using the tor socks proxy

SSH

First install netcat-openbsd :

$ sudo apt install netcat-openbsd

Then add the following to ~username/.ssh/config :

Host * ProxyCommand nc.openbsd -x localhost:9050 %h %p

This allows making SSH connections, for example to connect to GitHub:

username$ ssh -T git@github.com Hi username! You've successfully authenticated, but GitHub does not provide shell access.

HTTPS

For HTTPS access, add the following to the bottom of ~username/.bashrc :

export HTTPS_PROXY=socks5h://127.0.0.1:9050

Pay attention to socks5h - the h there makes the proxy resolve the address, instead of resolving it locally.

This allows many programs like curl and git to access HTTPS addresses.

You could export http_proxy similarly to allow access to HTTP addresses, but I advice against it, because the tor exit nodes will be able to read the traffic.

Word of warning