--- search: exclude: true --- # torproxy Setup ## **Initial Setup** ![]() sudo pacman -S tor nyx iptables bleachbit [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec] → cat /etc/tor/torrc [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/trac] → cat /etc/tor/torrc ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy DataDirectory /var/lib/tor BridgeRelay 1 PublishServerDescriptor 0 ORPort auto ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 127.0.0.1:8042 ExtOrPort auto VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 # Tor Browser SocksPort. SocksPort 9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth SocksPort 9151 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth TransPort 9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort SocksPort 9050 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort ControlPort 9051 DNSPort 127.0.0.1:53 User tor #use hardware accaleration when possible for crypto HardwareAccel 1 # ##socket safety hacks TestSocks 1 AllowNonRFC953Hostnames 0 WarnPlaintextPorts 23,109,110,143,80 # ##dns safety hacks ClientRejectInternalAddresses 0 # ##circuit hacks NewCircuitPeriod 40 MaxCircuitDirtiness 600 MaxClientCircuitsPending 48 UseEntryGuards 1 EnforceDistinctSubnets 1 #ExitNodes {jp} And then we make the following iptables script: export BLUE='\033[1;94m' export GREEN='\033[1;92m' export RED='\033[1;91m' export RESETCOLOR='\033[1;00m' # If tor didn't start, we start it # It is used for startup if command -v pacman > /dev/null; then TOR_UID=$(id -u tor) elif command -v apt > /dev/null; then TOR_UID=$(id -u debian-tor) elif command -v dnf > /dev/null; then TOR_UID=$(id -u toranon) else echo "Unknown distro" exit fi TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2` DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2` # Init DNS echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}" #/usr/bin/dnstool address 127.0.0.1 sudo systemctl stop vpn sudo systemctl restart iptables sudo systemctl restart tor sudo systemctl stop wg-quick@wg0 sudo iptables -F #DNS sudo chattr -i /etc/resolv.conf sudo cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf sudo chattr +i /etc/resolv.conf # disable ipv6 echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}" sudo /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 sudo /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1 #if ! [ -f /etc/network/iptables.rules ]; then # /usr/sbin/iptables-save > /etc/network/iptables.rules # echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}" #fi # Making IPTables rules sudo /usr/sbin/iptables -F sudo /usr/sbin/iptables -t nat -F # set iptables nat echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}" sudo /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN #set dns redirect echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}" sudo /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT #resolve .onion domains mapping 10.192.0.0/10 address space sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT #exclude local addresses for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do sudo /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN sudo /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT done #redirect all other output through TOR sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT #/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT sudo /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT #accept already established connections sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow only tor output echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR" sudo /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -j REJECT # TESTING block all incoming traffics # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT sudo /usr/sbin/iptables -A INPUT -j DROP ### *filter FORWARD sudo /usr/sbin/iptables -A FORWARD -j DROP ### *filter OUTPUT sudo /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT # Allow Tor process output sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT # Allow loopback output sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT # iptables 1.8.5 can't use -o with input # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT # Tor transproxy magic sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT #allow local network traffic: sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT # Allow OUTPUT to lan hosts in $_non_tor # Uncomment these 3 lines to enable. #for _lan in $_non_tor; do # iptables -A OUTPUT -d $_lan -j ACCEPT #done # Log & Drop everything else. Uncomment to enable logging #iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid # /usr/sbin/iptables -A OUTPUT -j DROP ### Set default policies to DROP # /usr/sbin/iptables -P INPUT DROP # /usr/sbin/iptables -P FORWARD DROP # /usr/sbin/iptables -P OUTPUT DROP ### Set default policies to DROP for IPv6 #ip6tables -P INPUT DROP #ip6tables -P FORWARD DROP #ip6tables -P OUTPUT DROP Now in between switching you should kill the dangerous applications like so: [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec] → cat cleanup.sh # Kill processes killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail # Remove cache bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null And now if you have the following torrc you can have a tor transparent proxying: [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/trac] → sudo systemctl restart tor [ 10.0.0.10/16 ] [ nowhere ] [~] → ./security.sh [+] SECURITY SCRIPT: [+] 0) Only local ? [+] 1) VPN over TOR ? (high latency, unlimited bandwidth) [+] 2) Wireguard to vpn.void.yt ? (3TB/mo, low latency) [+] 3) Transparent TOR Proxying 3 [sudo] password for nothing: [*] Modified resolv.conf to use Tor [*] Disabling IPv6 for security reasons net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 [*] Configuring iptables rules to route all traffic through tor + Redirecting DNS traffic through tor + Allowing only tor to browse in clearnet Now if you want to see if this works, you can check out your own ip in firefox: ![](1.png) Or if you want to check from inside the tor browser since it has much more security hardening than default firefox, do the following to start it up in such a way that it will use the system daemon:: [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec] → cat torbrowser.sh #export TOR_CONTROL_COOKIE_AUTH_FILE=/var/run/tor/control.authcookie export TOR_CONTROL_PORT=9051 export TOR_SOCKS_PORT=9150 export TOR_SKIP_LAUNCH=1 /usr/bin/torbrowser-launcher [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec] → ./torbrowser.sh Tor Browser Launcher By Micah Lee, licensed under MIT version 0.3.5 https://github.com/micahflee/torbrowser-launcher Launching Tor Browser. Running /home/nothing/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop Launching './Browser/start-tor-browser --detach'... ` ![](2.png) ## **Automation Setup** Let's make a systemd daemon that, when started, launches a bashscript to start the tor proxying, and when stopped, stops the tor proxying. [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] → chmod +x ./torproxy_start.sh [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] → cat torproxy_start.sh #!/bin/bash # Kill processes killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail # Remove cache bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null sudo systemctl stop wg-quick@wg0 sudo iptables -F #https://github.com/ParrotSec/anonsurf/blob/c5cc0092dc4ffe7d53b2bb42aebdc00e463cfa84/scripts/anondaemon export BLUE='\033[1;94m' export GREEN='\033[1;92m' export RED='\033[1;91m' export RESETCOLOR='\033[1;00m' # If tor didn't start, we start it # It is used for startup if command -v pacman > /dev/null; then TOR_UID=$(id -u tor) elif command -v apt > /dev/null; then TOR_UID=$(id -u debian-tor) elif command -v dnf > /dev/null; then TOR_UID=$(id -u toranon) else echo "Unknown distro" exit fi TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2` DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2` # Init DNS echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}" #/usr/bin/dnstool address 127.0.0.1 sudo systemctl stop vpn sudo systemctl restart iptables sudo systemctl restart tor sudo systemctl stop wg-quick@wg0 sudo iptables -F #DNS sudo chattr -i /etc/resolv.conf sudo cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf sudo chattr +i /etc/resolv.conf # disable ipv6 echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}" sudo /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 sudo /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1 #if ! [ -f /etc/network/iptables.rules ]; then # /usr/sbin/iptables-save > /etc/network/iptables.rules # echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}" #fi # Making IPTables rules sudo /usr/sbin/iptables -F sudo /usr/sbin/iptables -t nat -F # set iptables nat echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}" sudo /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN #set dns redirect echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}" sudo /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT #resolve .onion domains mapping 10.192.0.0/10 address space sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT #exclude local addresses for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do sudo /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN sudo /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT done #redirect all other output through TOR sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT #/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT sudo /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT #accept already established connections sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow only tor output echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR" sudo /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -j REJECT # TESTING block all incoming traffics # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT sudo /usr/sbin/iptables -A INPUT -j DROP ### *filter FORWARD sudo /usr/sbin/iptables -A FORWARD -j DROP ### *filter OUTPUT sudo /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT # Allow Tor process output sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT # Allow loopback output sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT # iptables 1.8.5 can't use -o with input # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT # Tor transproxy magic sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT #allow local network traffic: sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] → vim torproxy_stop.sh [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] → chmod +x ./torproxy_stop.sh [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] → cat torproxy_stop.sh #!/bin/bash # Kill processes killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail # Remove cache bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null sudo iptables -F And now to write the systemd service: [ 10.0.0.10/16 ] [ nowhere ] [~] → sudo vim /etc/systemd/system/torproxy.service [ 10.0.0.10/16 ] [ nowhere ] [~] → sudo systemctl daemon-reload [ 10.0.0.10/16 ] [ nowhere ] [~] → cat /etc/systemd/system/torproxy.service [Unit] Description=Tor Transparent Proxy After=network-online.target Wants=network-online.target [Service] Type=oneshot RemainAfterExit=true ExecStart=/home/nothing/Nextcloud/blog/Conf/torproxy_start.sh ExecStop=/home/nothing/Nextcloud/blog/Conf/torproxy_stop.sh [Install] WantedBy=multi-user.target and the modified 2 scripts: [ 10.0.0.10/16 ] [ nowhere ] [~] → cat /home/nothing/Nextcloud/blog/Conf/torproxy_start.sh #!/bin/bash # Kill processes killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail # Remove cache bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null systemctl stop wg-quick@wg0 iptables -F #https://github.com/ParrotSec/anonsurf/blob/c5cc0092dc4ffe7d53b2bb42aebdc00e463cfa84/scripts/anondaemon export BLUE='\033[1;94m' export GREEN='\033[1;92m' export RED='\033[1;91m' export RESETCOLOR='\033[1;00m' # If tor didn't start, we start it # It is used for startup if command -v pacman > /dev/null; then TOR_UID=$(id -u tor) elif command -v apt > /dev/null; then TOR_UID=$(id -u debian-tor) elif command -v dnf > /dev/null; then TOR_UID=$(id -u toranon) else echo "Unknown distro" exit fi TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2` DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2` # Init DNS echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}" #/usr/bin/dnstool address 127.0.0.1 systemctl stop vpn systemctl restart iptables systemctl stop wg-quick@wg0 iptables -F #DNS chattr -i /etc/resolv.conf cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf chattr +i /etc/resolv.conf # disable ipv6 echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}" /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1 #if ! [ -f /etc/network/iptables.rules ]; then # /usr/sbin/iptables-save > /etc/network/iptables.rules # echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}" #fi # Making IPTables rules /usr/sbin/iptables -F /usr/sbin/iptables -t nat -F # set iptables nat echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}" /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN #set dns redirect echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}" /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT #resolve .onion domains mapping 10.192.0.0/10 address space /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT #exclude local addresses for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT done #redirect all other output through TOR /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT #/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT #accept already established connections /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow only tor output echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR" /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT /usr/sbin/iptables -A OUTPUT -j REJECT # TESTING block all incoming traffics # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A INPUT -j DROP ### *filter FORWARD /usr/sbin/iptables -A FORWARD -j DROP ### *filter OUTPUT /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT # Allow Tor process output iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT # Allow loopback output /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT # iptables 1.8.5 can't use -o with input # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT # Tor transproxy magic /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT #allow local network traffic: /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT systemctl start tor [ 10.0.0.10/16 ] [ nowhere ] [~] → cat /home/nothing/Nextcloud/blog/Conf/torproxy_stop.sh #!/bin/bash # Kill processes killall -q tor chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail # Remove cache bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null iptables -F systemctl restart iptables Now to test it: [ 10.0.0.10/16 ] [ nowhere ] [~] → sudo systemctl stop torproxy.service [ 10.0.0.10/16 ] [ nowhere ] [~] → sudo systemctl start torproxy.service