Sometimes you may want to sacrifice some security for convenience, and use a lighter setup for tor usage instead of going for a heavy-weight solution like Whonix.

In this post we limit a Linux user account to only using tor to connect outside.

The examples are for Debian Stretch and assume you have already set up tor with a SocksPort, and created a user account.

Blocking everything except tor

The following nftables rules can be used to be block everything except tor access. Add them to /etc/nftables.conf:

table inet filter {
  chain output {
    meta skuid username ip daddr 127.0.0.1 tcp dport 9050 accept
    meta skuid username reject
  }
}

If you use iptables, you can use -m owner --uid-owner username for the rules.

Restart nftables.service:

$ sudo systemctl restart nftables

After this verify that neither DNS nor ping works:

username$ host www.google.com
../../../../lib/isc/unix/net.c:581: sendmsg() failed: Operation not permitted
../../../../lib/isc/unix/net.c:581: sendmsg() failed: Operation not permitted

username$ ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 123.123.123.123 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

Using the tor socks proxy

SSH

First install netcat-openbsd:

$ sudo apt install netcat-openbsd

Then add the following to ~username/.ssh/config:

Host *
  ProxyCommand nc.openbsd -x localhost:9050 %h %p

This allows making SSH connections, for example to connect to GitHub:

username$ ssh -T git@github.com                                                                                                                                                         
Hi username! You've successfully authenticated, but GitHub does not provide shell access.

HTTPS

For HTTPS access, add the following to the bottom of ~username/.bashrc:

export HTTPS_PROXY=socks5h://127.0.0.1:9050

Pay attention to socks5h - the h there makes the proxy resolve the address, instead of resolving it locally.

This allows many programs like curl and git to access HTTPS addresses.

You could export http_proxy similarly to allow access to HTTP addresses, but I advice against it, because the tor exit nodes will be able to read the traffic.

Word of warning

This is not meant to be a bulletproof setup. It mostly just helps you to prevent accidental clearnet usage. There are still ways to send data over clearnet, for example if there are setuid binaries like /usr/sbin/sendmail.