diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2020-01-23 13:58:30 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2020-01-23 13:58:30 -0300 |
| commit | 480055af9dc335fb1b290b8ffb3a3548f879f3f5 (patch) | |
| tree | e0abe1068c58500716454652538041ecc765857f /share/provision/files/tor-transproxy/etc/network | |
| parent | 199f37487b76f209a19a4e7ea973a204f58e7369 (diff) | |
| download | kvmx-480055af9dc335fb1b290b8ffb3a3548f879f3f5.tar.gz kvmx-480055af9dc335fb1b290b8ffb3a3548f879f3f5.tar.bz2 | |
Feat: Provision: Tor Transproxy
Diffstat (limited to 'share/provision/files/tor-transproxy/etc/network')
| -rwxr-xr-x | share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables b/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables new file mode 100755 index 0000000..68e4501 --- /dev/null +++ b/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Based on https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html +# See also: +# +# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy +#- https://askubuntu.com/questions/324685/how-to-route-all-internet-traffic-through-tor-the-onion-router +#- https://tor.stackexchange.com/questions/12343/use-iptables-to-force-traffic-through-tor +#- https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/ +#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf +#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/tor/torrc +#- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver +#- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor + +# Parameters +IPTABLES=/sbin/iptables +TOR_UID=`id -u debian-tor` +NETWORK_USER_ID=1000 + +# Clear existing rules +$IPTABLES -F INPUT || exit +$IPTABLES -F OUTPUT || exit +$IPTABLES -t nat -F || exit + +# Transproxy rules for Tor +$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 || exit +$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5353 || exit + +# Allow Tor, _apt, root and the network user +$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner root -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner _apt -j ACCEPT || exit +$IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit +$IPTABLES -A OUTPUT -j DROP || exit + +# Allow SSH +$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT || exit + +# Create INPUT firewall. Allow established connections and transproxy +$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit +$IPTABLES -A INPUT -i lo -j ACCEPT || exit # Transproxy output comes from lo +$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit +$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit +$IPTABLES -A INPUT -j DROP || exit + +# Avoid packet leaks +# https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html +#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP +#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP +#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid +iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP || exit +iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid || exit +iptables -A OUTPUT -m state --state INVALID -j DROP || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP || exit |