http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/
Looks like the days of DH 1024 are already over.
I'd go with this one:
https://github.com/claudyus/LXC-Web-Panel
The changes from the other repo have already been committed into claudyus' fork.
@Neo: That may be true from a provider's point of view. But for your own experiments, LXC is da bomb.
If you want to use iptables to weed out large numbers of IP addresses, just use ipset. It hashes IP addresses which results in a very quick lookup compared to linear parsed iptables rules. AFAIK you can store up to 2^16 addresses in each ipset list which should be enough for a TOR exit node...