A question about SocksPolicy option

hack3rcon · July 10, 2023, 6:39pm

Hello,
I want to change the Tor configuration that only the following addresses can connect to the server:

172.21.50.*
192.168.1.*
80.90.100.200

How should I change the SocksPolicy option?

Thank you.

atari · July 11, 2023, 5:31am

#SocksPolicy reject *
SocksPolicy accept 172.21.50.0/24
SocksPolicy accept 192.168.1.0/24
SocksPolicy accept 80.90.100.200

But for just browsing, you should go with your private bridge-option and using a Tor Browser [ A dedicated bridge for the Tor]

hack3rcon · July 16, 2023, 8:32am

Hello,
Thank you so much for your reply.
Is the following line incorrect?

SocksPolicy accept 172.21.50.1, 172.21.50.2, 172.21.50.3

Should each IP address be on a separate line?

atari · July 16, 2023, 3:19pm

if you do not use a netmask - i guess so

SocksPolicy policy,policy,…

    Set an entrance policy for this server, to limit who can connect to the SocksPort and DNSPort ports. The policies have the same form as exit policies below, except that port specifiers are ignored. Any address not matched by some entry in the policy is accepted.

abysshint · July 16, 2023, 3:19pm

Each element must have an accept or reject
If you only allow certain addresses, then use accept, accept…, and finalize with a reject * policy to deny all others.
If you allow all addresses except banned addresses, then use reject, reject…, and finalize with a accept * policy.
You can use commas instead of separate lines, but follow the above rules.

In your case, you should:

SocksPolicy accept 172.21.50.1, accept 172.21.50.2, accept 172.21.50.3, reject *

hack3rcon · July 17, 2023, 7:54am

Hello,
Thank you so much for this great help.
I have another question. If I used the following rule and I just want to ban some IP address from the range, then what should I do?
SocksPolicy accept 172.21.50.0/24

Are the following lines correct?
SocksPolicy accept 172.21.50.0/24
SocksPolicy reject 172.21.50.3, reject 172.21.50.10

Are the above lines accepting all IPs except 172.21.50.3 and 172.21.50.10?

abysshint · July 17, 2023, 10:07am

No, first accept/reject specific IP addresses, and at the end reject/accept all the others (*) or CIDR ranges they belong to.

In your case:

SocksPolicy reject 172.21.50.3, reject 172.21.50.10, accept 172.21.50.0/24

hack3rcon · July 17, 2023, 1:54pm

Hello,
Thank you so much for your great help.

system · July 18, 2023, 1:54pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.