Updated tutorial for Ubuntu 16.04 LTS compatibility

etc/apt/sources.list

@@ -1,2 +0,0 @@
-deb tor+http://vwakviie2ienjx6t.onion/debian unstable main
-deb tor+http://sdscoq7snqtznauu.onion/torproject.org sid main

etc/nginx/nginx.conf

@@ -64,12 +64,12 @@ http {
 	gzip on;
 	gzip_disable "msie6";
 
-	# gzip_vary on;
+	gzip_vary on;
 	gzip_proxied any;
 	gzip_comp_level 9;
 	# gzip_buffers 16 8k;
 	# gzip_http_version 1.1;
-	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
 
 	##
 	# Virtual Host Configs

etc/postfix/sql/alias.cf

@@ -1,4 +1,4 @@
-user = postfix
+user = hosting
 password = MY_PASSWORD
 hosts = localhost
 dbname = hosting

etc/rc.local

@@ -17,8 +17,13 @@ ip6tables -F
 iptables -t nat -F
 ip6tables -t nat -F
 
+#accept already established connections
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #allow tor traffic
-for tor in 111 `seq 115 146`; do(
+for tor in debian-tor _tor-2 _tor-3 _tor-4 _tor-5 _tor-6 _tor-7 _tor-a _tor-b _tor-c _tor-d _tor-e _tor-f _tor-g _tor-h _tor-i _tor-j _tor-k _tor-l _tor-m _tor-n _tor-o _tor-p _tor-q _tor-r _tor-s _tor-t _tor-u _tor-v _tor-w _tor-x _tor-y _tor-z; do(
 iptables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN;
 ip6tables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN;
 iptables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT;
@@ -32,6 +37,18 @@ for clearnet in 88.191.68.178 51.15.142.60 51.255.197.148 91.121.181.58; do(
 iptables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN;
 iptables -A OUTPUT -p udp --dport 123 -d $clearnet -j ACCEPT
 )done
+#restrict local communication for php and webserver
+#allowed tcp ports
+for port in 3306 9040 9050 110 143 25 21 5000:5020; do(
+iptables -A OUTPUT -d 127.0.0.0/8 -p tcp --dport $port -m owner --gid-owner www-data -j ACCEPT;
+ip6tables -A OUTPUT -d ::1 -p tcp --dport $port -m owner --gid-owner www-data -j ACCEPT
+)done
+#accept DNS
+iptables -A OUTPUT -d 127.0.0.0/8 -p udp --dport 53 -m owner --gid-owner www-data -j ACCEPT
+ip6tables -A OUTPUT -d ::1 -p udp --dport 53 -m owner --gid-owner www-data -j ACCEPT
+#REJECT all others
+iptables -A OUTPUT -d 127.0.0.0/8 -m owner --gid-owner www-data -j REJECT
+ip6tables -A OUTPUT -d ::1 -m owner --gid-owner www-data -j REJECT
 #unrestricted access to these IPs
 for clearnet in 127.0.0.0/8; do(
 iptables -t nat -A OUTPUT -d $clearnet -j RETURN;
@@ -44,9 +61,6 @@ ip6tables -A OUTPUT -d $clearnet -j ACCEPT;
 #redirect everything else
 iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
 ip6tables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
-#accept established connections
-iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #allow local communication
 iptables -A OUTPUT -o lo -j ACCEPT
 ip6tables -A OUTPUT -o lo -j ACCEPT
@@ -54,15 +68,12 @@ ip6tables -A OUTPUT -o lo -j ACCEPT
 iptables -A OUTPUT -j REJECT
 ip6tables -A OUTPUT -j REJECT
 
-#uncomment to be able to directly connect with your own IP
+#uncomment to be able to directly connect with your own IP and allow no one else
 #for clearnet in YOUR_IP_HERE;do(
 #iptables -A INPUT -s $clearnet -j ACCEPT;
 #)done
-#allow established connections
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-#drop everything else
-iptables -A INPUT -i eth0 -j DROP
-ip6tables -A INPUT -i eth0 -j DROP
+#drop everything else (uncomment after adding your own IP above)
+#iptables -A INPUT -i eth0 -j DROP
+#ip6tables -A INPUT -i eth0 -j DROP
 
 exit 0

etc/resolv.conf

@@ -0,0 +1 @@
+nameserver 127.0.0.1

etc/tor/torrc

@@ -1,34 +1,33 @@
 SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
 
 HiddenServiceDir /var/lib/tor/hidden_service/
-HiddenServicePort 80 127.0.0.1:80
-HiddenServicePort 25 127.0.0.1:25
-HiddenServicePort 143 127.0.0.1:143
-HiddenServicePort 110 127.0.0.1:110
-HiddenServicePort 22 127.0.0.1:22
-HiddenServicePort 20 127.0.0.1:20
-HiddenServicePort 21 127.0.0.1:21
-HiddenServicePort 5000 127.0.0.1:5000
-HiddenServicePort 5001 127.0.0.1:5001
-HiddenServicePort 5002 127.0.0.1:5002
-HiddenServicePort 5003 127.0.0.1:5003
-HiddenServicePort 5004 127.0.0.1:5004
-HiddenServicePort 5005 127.0.0.1:5005
-HiddenServicePort 5006 127.0.0.1:5006
-HiddenServicePort 5007 127.0.0.1:5007
-HiddenServicePort 5008 127.0.0.1:5008
-HiddenServicePort 5009 127.0.0.1:5009
-HiddenServicePort 5010 127.0.0.1:5010
-HiddenServicePort 5011 127.0.0.1:5011
-HiddenServicePort 5012 127.0.0.1:5012
-HiddenServicePort 5013 127.0.0.1:5013
-HiddenServicePort 5014 127.0.0.1:5014
-HiddenServicePort 5015 127.0.0.1:5015
-HiddenServicePort 5016 127.0.0.1:5016
-HiddenServicePort 5017 127.0.0.1:5017
-HiddenServicePort 5018 127.0.0.1:5018
-HiddenServicePort 5019 127.0.0.1:5019
-HiddenServicePort 5020 127.0.0.1:5020
+HiddenServicePort 80
+HiddenServicePort 25
+HiddenServicePort 143
+HiddenServicePort 110
+HiddenServicePort 22
+HiddenServicePort 21
+HiddenServicePort 5000
+HiddenServicePort 5001
+HiddenServicePort 5002
+HiddenServicePort 5003
+HiddenServicePort 5004
+HiddenServicePort 5005
+HiddenServicePort 5006
+HiddenServicePort 5007
+HiddenServicePort 5008
+HiddenServicePort 5009
+HiddenServicePort 5010
+HiddenServicePort 5011
+HiddenServicePort 5012
+HiddenServicePort 5013
+HiddenServicePort 5014
+HiddenServicePort 5015
+HiddenServicePort 5016
+HiddenServicePort 5017
+HiddenServicePort 5018
+HiddenServicePort 5019
+HiddenServicePort 5020
 
 VirtualAddrNetworkIPv4 10.192.0.0/10
 VirtualAddrNetworkIPv6 [FC00::]/7
@@ -38,6 +37,6 @@ TransPort [::1]:9040
 DNSPort 53
 DNSPort [::1]:53
 MaxClientCircuitsPending 1024
-NumCPUs 4
+NumCPUs 2
 HardwareAccel 1
 AvoidDiskWrites 1