add IPtables chain for outgoing Tor traffic

If Tor is operating in relay mode, it has to open a lot of outgoing
TCP connections. These should be separated from any other outgoing
connections, as allowing _all_ outgoing traffic will be unwanted and
risky in most cases.

Thereof, Tor will be running as a dedicated user (see second patch),
allowing usage of user-based IPtables rulesets.

Partially fixes #11779.

Singed-off-by: Peter Müller <peter.mueller@ipfire.org>

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

src/initscripts/packages/tor

@@ -21,8 +21,11 @@ function setup_firewall() {
 	# Flush all rules.
 	flush_firewall
 
+	# Allow incoming traffic to Tor relay (and directory) port and
+	# all outgoing TCP connections from Tor user.
 	if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then
 		iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
+		iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
 	fi
 
 	if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "${TOR_RELAY_DIRPORT}" -ne 0 ]; then
@@ -33,6 +36,7 @@ function setup_firewall() {
 function flush_firewall() {
 	# Flush all rules.
 	iptables -F TOR_INPUT
+	iptables -F TOR_OUTPUT
 }
 
 case "${1}" in

src/initscripts/system/firewall

@@ -294,9 +294,11 @@ iptables_init() {
 	iptables -N OVPNINPUT
 	iptables -A INPUT -j OVPNINPUT
 
-	# Tor
+	# Tor (inbound and outbound)
 	iptables -N TOR_INPUT
 	iptables -A INPUT -j TOR_INPUT
+	iptables -N TOR_OUTPUT
+	iptables -A OUTPUT -j TOR_OUTPUT
 	
 	# Jump into the actual firewall ruleset.
 	iptables -N INPUTFW