Block Tor Exit Nodes with IPTables

block-tor-exit-nodes-iptables.md

1. Install ipset:

apt-get install ipset

2. Create new ipset:

ipset create tor iphash

3. Read Tor Exit Node List and add to ipset:

curl -sSL "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$(curl icanhazip.com)" | sed '/^#/d' | while read IP; do
  ipset -q -A tor $IP
done

Note: This should run as daily cronjob.

4. Block ipset with iptables:

iptables -A INPUT -m set --match-set tor src -j DROP

---

Source

The list from dan.me.uk contains IPv4 and IPv6 addresses. To filter out v6 addresses you can use something like:

ipset create tor-nodes iphash

curl -sSL "https://www.dan.me.uk/torlist/?ip=$(curl icanhazip.com)" | sed -e '/^#/d' -e '/:/d' | while read IP; do
ipset -q -A tor-nodes $IP
done

@MarcosT96, according to https://www.dan.me.uk/tornodes the URL does not take an "ip" parameter. The only parameter is ?exit, which will list exit nodes only (which is likely what most people want anyway).

@mtheophy, surely we are interested in IPv6 as well :) Many servers have IPv6 nowadays. I grab the list to a temporary file and then grep the IP addresses I'm interested in. For IPv4 I use grep -E "^([0-9]+\.){3}[0-9]+$" and for IPv6 I use grep -E "^[23]...:" (IPv6 regex matching is a complex topic, but this suffices for me for now) and then use it to populate the ipv6-tor-nodes set.

ipset create ipv6-tor-nodes iphash family inet6
ip6tables -A INPUT -m set --match-set ipv6-tor-nodes src -j DROP

Check here for nftables version:
https://github.com/erhan-/block-tor-exit-nodes/blob/main/blocktor.sh

ipset -N tor iphash
curl 'https://check.torproject.org/torbulkexitlist?ip=' | xargs -n 1 ipset -A tor 
iptables -A INPUT -m set --match-set tor src -j DROP

My version

I made a version with systemd timer and deployment instructions: https://gist.github.com/zouppen/bc005e0038860164714f0cdf376369b4