oxeo0/selfhosting-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/selfhosting-blogposts.git synced 2025-05-16 12:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
selfhosting-blogposts/torproxy/index.md

638 lines
25 KiB
Markdown
Raw Permalink Blame History

---
search:
exclude: true
---
# torproxy Setup
## **Initial Setup**
![]()
sudo pacman -S tor nyx iptables bleachbit
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec]
→ cat /etc/tor/torrc
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/trac]
→ cat /etc/tor/torrc
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
DataDirectory /var/lib/tor
BridgeRelay 1
PublishServerDescriptor 0
ORPort auto
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 127.0.0.1:8042
ExtOrPort auto
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
# Tor Browser SocksPort.
SocksPort 9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
SocksPort 9151 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
TransPort 9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
SocksPort 9050 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
ControlPort 9051
DNSPort 127.0.0.1:53
User tor
#use hardware accaleration when possible for crypto
HardwareAccel 1
#
##socket safety hacks
TestSocks 1
AllowNonRFC953Hostnames 0
WarnPlaintextPorts 23,109,110,143,80
#
##dns safety hacks
ClientRejectInternalAddresses 0
#
##circuit hacks
NewCircuitPeriod 40
MaxCircuitDirtiness 600
MaxClientCircuitsPending 48
UseEntryGuards 1
EnforceDistinctSubnets 1
#ExitNodes {jp}
And then we make the following iptables script:
export BLUE='\033[1;94m'
export GREEN='\033[1;92m'
export RED='\033[1;91m'
export RESETCOLOR='\033[1;00m'
# If tor didn't start, we start it
# It is used for startup
if command -v pacman > /dev/null; then
TOR_UID=$(id -u tor)
elif command -v apt > /dev/null; then
TOR_UID=$(id -u debian-tor)
elif command -v dnf > /dev/null; then
TOR_UID=$(id -u toranon)
else
echo "Unknown distro"
exit
fi
TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2`
DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2`
# Init DNS
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}"
#/usr/bin/dnstool address 127.0.0.1
sudo systemctl stop vpn
sudo systemctl restart iptables
sudo systemctl restart tor
sudo systemctl stop wg-quick@wg0
sudo iptables -F
#DNS
sudo chattr -i /etc/resolv.conf
sudo cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf
sudo chattr +i /etc/resolv.conf
# disable ipv6
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}"
sudo /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1
#if ! [ -f /etc/network/iptables.rules ]; then
# /usr/sbin/iptables-save > /etc/network/iptables.rules
# echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}"
#fi
# Making IPTables rules
sudo /usr/sbin/iptables -F
sudo /usr/sbin/iptables -t nat -F
# set iptables nat
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}"
sudo /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
#set dns redirect
echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}"
sudo /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
#resolve .onion domains mapping 10.192.0.0/10 address space
sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
#exclude local addresses
for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do
sudo /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN
sudo /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT
done
#redirect all other output through TOR
sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT
#/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT
#accept already established connections
sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow only tor output
echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR"
sudo /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -j REJECT
# TESTING block all incoming traffics
# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -j DROP
### *filter FORWARD
sudo /usr/sbin/iptables -A FORWARD -j DROP
### *filter OUTPUT
sudo /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# Allow Tor process output
sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
# Allow loopback output
sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
# iptables 1.8.5 can't use -o with input
# /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT
# Tor transproxy magic
sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow local network traffic:
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT
# Allow OUTPUT to lan hosts in $_non_tor
# Uncomment these 3 lines to enable.
#for _lan in $_non_tor; do
# iptables -A OUTPUT -d $_lan -j ACCEPT
#done
# Log & Drop everything else. Uncomment to enable logging
#iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
# /usr/sbin/iptables -A OUTPUT -j DROP
### Set default policies to DROP
# /usr/sbin/iptables -P INPUT DROP
# /usr/sbin/iptables -P FORWARD DROP
# /usr/sbin/iptables -P OUTPUT DROP
### Set default policies to DROP for IPv6
#ip6tables -P INPUT DROP
#ip6tables -P FORWARD DROP
#ip6tables -P OUTPUT DROP
Now in between switching you should kill the dangerous applications like so:
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec]
→ cat cleanup.sh
# Kill processes
killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null
And now if you have the following torrc you can have a tor transparent proxying:
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/trac]
→ sudo systemctl restart tor
[ 10.0.0.10/16 ] [ nowhere ] [~]
→ ./security.sh
[+] SECURITY SCRIPT:
[+] 0) Only local ?
[+] 1) VPN over TOR ? (high latency, unlimited bandwidth)
[+] 2) Wireguard to vpn.void.yt ? (3TB/mo, low latency)
[+] 3) Transparent TOR Proxying
3
[sudo] password for nothing:
[*] Modified resolv.conf to use Tor
[*] Disabling IPv6 for security reasons
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[*] Configuring iptables rules to route all traffic through tor
+ Redirecting DNS traffic through tor
+ Allowing only tor to browse in clearnet
Now if you want to see if this works, you can check out your own ip in firefox:
![](1.png)
Or if you want to check from inside the tor browser since it has much more security hardening than default firefox, do the following to start it up in such a way that it will use the system daemon::
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec]
→ cat torbrowser.sh
#export TOR_CONTROL_COOKIE_AUTH_FILE=/var/run/tor/control.authcookie
export TOR_CONTROL_PORT=9051
export TOR_SOCKS_PORT=9150
export TOR_SKIP_LAUNCH=1
/usr/bin/torbrowser-launcher
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec]
→ ./torbrowser.sh
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.3.5
https://github.com/micahflee/torbrowser-launcher
Launching Tor Browser.
Running /home/nothing/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'...
` ![](2.png)
## **Automation Setup**
Let's make a systemd daemon that, when started, launches a bashscript to start the tor proxying, and when stopped, stops the tor proxying.
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ chmod +x ./torproxy_start.sh
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ cat torproxy_start.sh
#!/bin/bash
# Kill processes
killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null
sudo systemctl stop wg-quick@wg0
sudo iptables -F
#https://github.com/ParrotSec/anonsurf/blob/c5cc0092dc4ffe7d53b2bb42aebdc00e463cfa84/scripts/anondaemon
export BLUE='\033[1;94m'
export GREEN='\033[1;92m'
export RED='\033[1;91m'
export RESETCOLOR='\033[1;00m'
# If tor didn't start, we start it
# It is used for startup
if command -v pacman > /dev/null; then
TOR_UID=$(id -u tor)
elif command -v apt > /dev/null; then
TOR_UID=$(id -u debian-tor)
elif command -v dnf > /dev/null; then
TOR_UID=$(id -u toranon)
else
echo "Unknown distro"
exit
fi
TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2`
DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2`
# Init DNS
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}"
#/usr/bin/dnstool address 127.0.0.1
sudo systemctl stop vpn
sudo systemctl restart iptables
sudo systemctl restart tor
sudo systemctl stop wg-quick@wg0
sudo iptables -F
#DNS
sudo chattr -i /etc/resolv.conf
sudo cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf
sudo chattr +i /etc/resolv.conf
# disable ipv6
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}"
sudo /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1
#if ! [ -f /etc/network/iptables.rules ]; then
# /usr/sbin/iptables-save > /etc/network/iptables.rules
# echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}"
#fi
# Making IPTables rules
sudo /usr/sbin/iptables -F
sudo /usr/sbin/iptables -t nat -F
# set iptables nat
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}"
sudo /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
#set dns redirect
echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}"
sudo /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
#resolve .onion domains mapping 10.192.0.0/10 address space
sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
#exclude local addresses
for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do
sudo /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN
sudo /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT
done
#redirect all other output through TOR
sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT
#/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT
sudo /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT
#accept already established connections
sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow only tor output
echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR"
sudo /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -j REJECT
# TESTING block all incoming traffics
# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -j DROP
### *filter FORWARD
sudo /usr/sbin/iptables -A FORWARD -j DROP
### *filter OUTPUT
sudo /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# Allow Tor process output
sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
# Allow loopback output
sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
# iptables 1.8.5 can't use -o with input
# /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT
# Tor transproxy magic
sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow local network traffic:
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ vim torproxy_stop.sh
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ chmod +x ./torproxy_stop.sh
[ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final]
→ cat torproxy_stop.sh
#!/bin/bash
# Kill processes
killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null
sudo iptables -F
And now to write the systemd service:
[ 10.0.0.10/16 ] [ nowhere ] [~]
→ sudo vim /etc/systemd/system/torproxy.service
[ 10.0.0.10/16 ] [ nowhere ] [~]
→ sudo systemctl daemon-reload
[ 10.0.0.10/16 ] [ nowhere ] [~]
→ cat /etc/systemd/system/torproxy.service
[Unit]
Description=Tor Transparent Proxy
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/home/nothing/Nextcloud/blog/Conf/torproxy_start.sh
ExecStop=/home/nothing/Nextcloud/blog/Conf/torproxy_stop.sh
[Install]
WantedBy=multi-user.target
and the modified 2 scripts:
[ 10.0.0.10/16 ] [ nowhere ] [~]
→ cat /home/nothing/Nextcloud/blog/Conf/torproxy_start.sh
#!/bin/bash
# Kill processes
killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null
systemctl stop wg-quick@wg0
iptables -F
#https://github.com/ParrotSec/anonsurf/blob/c5cc0092dc4ffe7d53b2bb42aebdc00e463cfa84/scripts/anondaemon
export BLUE='\033[1;94m'
export GREEN='\033[1;92m'
export RED='\033[1;91m'
export RESETCOLOR='\033[1;00m'
# If tor didn't start, we start it
# It is used for startup
if command -v pacman > /dev/null; then
TOR_UID=$(id -u tor)
elif command -v apt > /dev/null; then
TOR_UID=$(id -u debian-tor)
elif command -v dnf > /dev/null; then
TOR_UID=$(id -u toranon)
else
echo "Unknown distro"
exit
fi
TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2`
DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2`
# Init DNS
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}"
#/usr/bin/dnstool address 127.0.0.1
systemctl stop vpn
systemctl restart iptables
systemctl stop wg-quick@wg0
iptables -F
#DNS
chattr -i /etc/resolv.conf
cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf
chattr +i /etc/resolv.conf
# disable ipv6
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}"
/sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
/sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1
#if ! [ -f /etc/network/iptables.rules ]; then
# /usr/sbin/iptables-save > /etc/network/iptables.rules
# echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}"
#fi
# Making IPTables rules
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
# set iptables nat
echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}"
/usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
#set dns redirect
echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}"
/usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
#resolve .onion domains mapping 10.192.0.0/10 address space
/usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
/usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT
#exclude local addresses
for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do
/usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN
/usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT
done
#redirect all other output through TOR
/usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT
#/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT
/usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT
/usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT
#accept already established connections
/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow only tor output
echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR"
/usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
/usr/sbin/iptables -A OUTPUT -j REJECT
# TESTING block all incoming traffics
# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -j DROP
### *filter FORWARD
/usr/sbin/iptables -A FORWARD -j DROP
### *filter OUTPUT
/usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# Allow Tor process output
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
# Allow loopback output
/usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
# iptables 1.8.5 can't use -o with input
# /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT
# Tor transproxy magic
/usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow local network traffic:
/usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT
/usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT
/usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT
/usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT
systemctl start tor
[ 10.0.0.10/16 ] [ nowhere ] [~]
→ cat /home/nothing/Nextcloud/blog/Conf/torproxy_stop.sh
#!/bin/bash
# Kill processes
killall -q tor chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail
# Remove cache
bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null
iptables -F
systemctl restart iptables
Now to test it:
[ 10.0.0.10/16 ] [ nowhere ] [~]
→ sudo systemctl stop torproxy.service
[ 10.0.0.10/16 ] [ nowhere ] [~]
→ sudo systemctl start torproxy.service
Reference in a new issue View git blame Copy permalink