Skip to main content
Unix & Linux

Return to Answer

added 121 characters in body
Source Link
Mat
Mat
  • 54.9k
  • 11
  • 164
  • 143

The rule that takes care of the packets after the first ACK is:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It essentially means: let all packets that are part of, or related to, an established session go through. All packets from your machine that follow the initial SYN (provided there was a valid reply to that) are part of an established session, so they will pass.
(RELATED is used for protovols like FTP, if you have that module enabled, where a "normal" session can involve more than one TCP session.)

Note that since you've set up DNS redirection to Tor too, and use AutomapHostsOnResolveNote that since you've set up DNS redirection to Tor too, and use AutomapHostsOnResolve, the IP address your browser (and other software) will see are not www.example.com's IP address but a virtual address in the range you specified (10.192.0.0/10). This is incorrect, the IP address your browser (and other software) will seeonly some suffixes are not www.example.com's IP address but a virtual address in themapped to that local range you specified (10.192.0exit and .0/10onion by default).

The rule that takes care of the packets after the first ACK is:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It essentially means: let all packets that are part of, or related to, an established session go through. All packets from your machine that follow the initial SYN (provided there was a valid reply to that) are part of an established session, so they will pass.
(RELATED is used for protovols like FTP, if you have that module enabled, where a "normal" session can involve more than one TCP session.)

Note that since you've set up DNS redirection to Tor too, and use AutomapHostsOnResolve, the IP address your browser (and other software) will see are not www.example.com's IP address but a virtual address in the range you specified (10.192.0.0/10).

The rule that takes care of the packets after the first ACK is:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It essentially means: let all packets that are part of, or related to, an established session go through. All packets from your machine that follow the initial SYN (provided there was a valid reply to that) are part of an established session, so they will pass.
(RELATED is used for protovols like FTP, if you have that module enabled, where a "normal" session can involve more than one TCP session.)

Note that since you've set up DNS redirection to Tor too, and use AutomapHostsOnResolve, the IP address your browser (and other software) will see are not www.example.com's IP address but a virtual address in the range you specified (10.192.0.0/10). This is incorrect, only some suffixes are mapped to that local range (.exit and .onion by default).

Source Link
Mat
Mat
  • 54.9k
  • 11
  • 164
  • 143

The rule that takes care of the packets after the first ACK is:

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It essentially means: let all packets that are part of, or related to, an established session go through. All packets from your machine that follow the initial SYN (provided there was a valid reply to that) are part of an established session, so they will pass.
(RELATED is used for protovols like FTP, if you have that module enabled, where a "normal" session can involve more than one TCP session.)

Note that since you've set up DNS redirection to Tor too, and use AutomapHostsOnResolve, the IP address your browser (and other software) will see are not www.example.com's IP address but a virtual address in the range you specified (10.192.0.0/10).