Skip to content

Limiting Server Network Access

GreaterFire edited this page Sep 3, 2018 · 2 revisions

For security reasons, you might want to disable trojan's access to certain endpoints (such as loopback address and LAN). This can be done using per-user iptables rules.

First, create a system user for trojan:

sudo useradd -r -g trojan trojan

so that you can run trojan with

sudo -u trojan trojan /path/to/config

Or if you want to run trojan using systemd service, add the following lines under [Service] section of both trojan.service and trojan@.service:

User=trojan
Group=trojan

Note that if you want to bind to low ports, you have to add a capability to the trojan binary:

sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/trojan

Now we can set iptables rules for user trojan, for example:

sudo iptables -m owner --uid-owner trojan -A OUTPUT -d 127.0.0.0/8 -j REJECT
sudo iptables -m owner --uid-owner trojan -A OUTPUT -d 192.168.0.0/16 -j REJECT
sudo iptables -m owner --uid-owner trojan -A OUTPUT -d 10.0.0.0/8 -j REJECT
sudo iptables -m owner --uid-owner trojan -A OUTPUT --dport 53 -j ACCEPT
sudo iptables -m owner --uid-owner trojan -A OUTPUT -d 127.0.0.0/8 --dport 80 -j ACCEPT
sudo iptables -m owner --uid-owner trojan -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
You can’t perform that action at this time.