Limiting Server Network Access

For security reasons, you might want to disable trojan's access to certain endpoints (such as loopback address and LAN). This can be done using per-user iptables rules.

First, create a system user for trojan:

sudo useradd -r trojan --shell=/usr/sbin/nologin

so that you can run trojan with

sudo -u trojan trojan /path/to/config

Or if you want to run trojan using systemd service, add the following lines under [Service] section of both trojan.service and [email protected]:

User=trojan
Group=trojan

Note that if you want to bind to low ports, you have to add a capability to the trojan binary:

sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/trojan

Now we can set iptables rules for user trojan, for example:

sudo iptables -m owner --uid-owner trojan -A OUTPUT -d 127.0.0.0/8 -j REJECT
sudo iptables -m owner --uid-owner trojan -A OUTPUT -d 192.168.0.0/16 -j REJECT
sudo iptables -m owner --uid-owner trojan -A OUTPUT -d 10.0.0.0/8 -j REJECT
sudo iptables -m owner --uid-owner trojan -A OUTPUT --dport 53 -j ACCEPT
sudo iptables -m owner --uid-owner trojan -A OUTPUT -d 127.0.0.0/8 --dport 80 -j ACCEPT
sudo iptables -m owner --uid-owner trojan -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

sudo docker run -it --name trojan
--mount type=bind,source=/etc/trojan/config.json,target=/config/config.json -p 443:443 trojangfw/trojan

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Limiting Server Network Access

Clone this wiki locally