diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2020-11-28 21:09:48 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2020-11-28 21:09:48 -0300 |
commit | 09f88f126bea0e4858f7a193987fea86b23140fa (patch) | |
tree | c40862cdb0c94ecaebedd93bd473d2e42490fc09 /share/provision/files/tor-transproxy/etc | |
parent | 71246ed58e1a95ddeaf7f0bfa8febc8aa11e23bb (diff) | |
download | kvmx-09f88f126bea0e4858f7a193987fea86b23140fa.tar.gz kvmx-09f88f126bea0e4858f7a193987fea86b23140fa.tar.bz2 |
Fix: provision: some refatoring, moving things to trashman
Diffstat (limited to 'share/provision/files/tor-transproxy/etc')
-rwxr-xr-x | share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables | 58 | ||||
-rw-r--r-- | share/provision/files/tor-transproxy/etc/tor/torrc | 183 |
2 files changed, 0 insertions, 241 deletions
diff --git a/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables b/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables deleted file mode 100755 index 68e4501..0000000 --- a/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash -# -# Based on https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html -# See also: -# -# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy -#- https://askubuntu.com/questions/324685/how-to-route-all-internet-traffic-through-tor-the-onion-router -#- https://tor.stackexchange.com/questions/12343/use-iptables-to-force-traffic-through-tor -#- https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/ -#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf -#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/tor/torrc -#- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver -#- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor - -# Parameters -IPTABLES=/sbin/iptables -TOR_UID=`id -u debian-tor` -NETWORK_USER_ID=1000 - -# Clear existing rules -$IPTABLES -F INPUT || exit -$IPTABLES -F OUTPUT || exit -$IPTABLES -t nat -F || exit - -# Transproxy rules for Tor -$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 || exit -$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5353 || exit - -# Allow Tor, _apt, root and the network user -$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit -$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT || exit -$IPTABLES -A OUTPUT -m owner --uid-owner root -j ACCEPT || exit -$IPTABLES -A OUTPUT -m owner --uid-owner _apt -j ACCEPT || exit -$IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit -$IPTABLES -A OUTPUT -j DROP || exit - -# Allow SSH -$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT || exit - -# Create INPUT firewall. Allow established connections and transproxy -$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit -$IPTABLES -A INPUT -i lo -j ACCEPT || exit # Transproxy output comes from lo -$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit -$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit -$IPTABLES -A INPUT -j DROP || exit - -# Avoid packet leaks -# https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html -#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP -#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP -#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid -iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP || exit -iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid || exit -iptables -A OUTPUT -m state --state INVALID -j DROP || exit -iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit -iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit -iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP || exit -iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP || exit diff --git a/share/provision/files/tor-transproxy/etc/tor/torrc b/share/provision/files/tor-transproxy/etc/tor/torrc deleted file mode 100644 index 2b7369f..0000000 --- a/share/provision/files/tor-transproxy/etc/tor/torrc +++ /dev/null @@ -1,183 +0,0 @@ -## Configuration file for a typical Tor user -## Last updated 22 December 2007 for Tor 0.2.0.14-alpha. -## (May or may not work for much older or much newer versions of Tor.) -## -## Lines that begin with "## " try to explain what's going on. Lines -## that begin with just "#" are disabled commands: you can enable them -## by removing the "#" symbol. -## -## See the man page, or https://www.torproject.org/tor-manual-dev.html, -## for more options you can use in this file. -## -## Tor will look for this file in various places based on your platform: -## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc - - -## Default SocksPort -SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort -## SocksPort for Tails-specific applications -SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort -## SocksPort for the default web browser -SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth - -## Entry policies to allow/deny SOCKS requests based on IP address. -## First entry that matches wins. If no SocksPolicy is set, we accept -## all (and only) requests from SocksListenAddress. -#SocksPolicy accept 192.168.0.0/16 -#SocksPolicy reject * - -## Logs go to stdout at level "notice" unless redirected by something -## else, like one of the below lines. You can have as many Log lines as -## you want. -## -## We advise using "notice" in most cases, since anything more verbose -## may provide sensitive information to an attacker who obtains the logs. -## -## Send all messages of level 'notice' or higher to /var/log/tor/notices.log -#Log notice file /var/log/tor/notices.log -## Send every possible message to /var/log/tor/debug.log -#Log debug file /var/log/tor/debug.log -## Use the system log instead of Tor's logfiles -#Log notice syslog -## To send all messages to stderr: -#Log debug stderr - -## Uncomment this to start the process in the background... or use -## --runasdaemon 1 on the command line. This is ignored on Windows; -## see the FAQ entry if you want Tor to run as an NT service. -#RunAsDaemon 1 - -## The directory for keeping all the keys/etc. By default, we store -## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. -#DataDirectory /var/lib/tor - -## The port on which Tor will listen for local connections from Tor -## controller applications, as documented in control-spec.txt. -ControlPort 9052 -ControlListenAddress 127.0.0.1 - -############### This section is just for location-hidden services ### - -## Once you have configured a hidden service, you can look at the -## contents of the file ".../hidden_service/hostname" for the address -## to tell people. -## -## HiddenServicePort x y:z says to redirect requests on port x to the -## address y:z. - -#HiddenServiceDir /var/lib/tor/hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 - -#HiddenServiceDir /var/lib/tor/other_hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 -#HiddenServicePort 22 127.0.0.1:22 - -################ This section is just for relays ##################### -# -## See https://www.torproject.org/docs/tor-doc-relay for details. - -## A unique handle for your server. -#Nickname ididnteditheconfig - -## The IP or FQDN for your server. Leave commented out and Tor will guess. -#Address noname.example.com - -## Define these to limit the bandwidth usage of relayed (server) -## traffic. Your own traffic is still unthrottled. -## Note that RelayBandwidthRate must be at least 20 KB. -#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) -#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps) - -## Contact info to be published in the directory, so we can contact you -## if your server is misconfigured or something else goes wrong. -#ContactInfo Random Person <nobody AT example dot com> -## You might also include your PGP or GPG fingerprint if you have one: -#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com> - -## Required: what port to advertise for Tor connections. -#ORPort 9001 -## If you need to listen on a port other than the one advertised -## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the -## line below too. You'll need to do ipchains or other port forwarding -## yourself to make this work. -#ORListenAddress 0.0.0.0:9090 - -## Uncomment this to mirror directory information for others. Please do -## if you have enough bandwidth. -#DirPort 9030 # what port to advertise for directory connections -## If you need to listen on a port other than the one advertised -## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line -## below too. You'll need to do ipchains or other port forwarding yourself -## to make this work. -#DirListenAddress 0.0.0.0:9091 - -## Uncomment this if you run more than one Tor server, and add the -## nickname of each Tor server you control, even if they're on different -## networks. You declare it here so Tor clients can avoid using more than -## one of your servers in a single circuit. See -## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers -#MyFamily nickname1,nickname2,... - -## A comma-separated list of exit policies. They're considered first -## to last, and the first match wins. If you want to _replace_ -## the default exit policy, end this with either a reject *:* or an -## accept *:*. Otherwise, you're _augmenting_ (prepending to) the -## default exit policy. Leave commented to just use the default, which is -## available in the man page or at https://www.torproject.org/documentation.html -## -## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses -## for issues you might encounter if you use the default exit policy. -## -## If certain IPs and ports are blocked externally, e.g. by your firewall, -## you should update your exit policy to reflect this -- otherwise Tor -## users will be told that those destinations are down. -## -#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more -#ExitPolicy accept *:119 # accept nntp as well as default exit policy -#ExitPolicy reject *:* # no exits allowed -# -################ This section is just for bridge relays ############## -# -## Bridge relays (or "bridges" ) are Tor relays that aren't listed in the -## main directory. Since there is no complete public list of them, even if an -## ISP is filtering connections to all the known Tor relays, they probably -## won't be able to block all the bridges. Unlike running an exit relay, -## running a bridge relay just passes data to and from the Tor network -- -## so it shouldn't expose the operator to abuse complaints. - -#ORPort 443 -#BridgeRelay 1 -#RelayBandwidthRate 50KBytes -#ExitPolicy reject *:* - - -################ Local settings ######################################## - -## Torified DNS -DNSPort 5353 -AutomapHostsOnResolve 1 -AutomapHostsSuffixes .exit,.onion - -## Transparent proxy -TransPort 9040 -TransListenAddress 127.0.0.1 - -## Misc -AvoidDiskWrites 1 - -## We don't care if applications do their own DNS lookups since our Tor -## enforcement will handle it safely. -WarnUnsafeSocks 0 - -## Disable default warnings on StartTLS for email. Let's not train our -## users to click through security warnings. -WarnPlaintextPorts 23,109 - -## Tor 0.3.x logs to syslog by default, which we redirect to the Journal; -## but we have some code that reads Tor's logs and only supports plaintext -## log files at the moment, so let's keep logging to a file. -Log notice file /var/log/tor/log - -# WARNING: Hashed empty password, useful for a box with only a single user running Tor Browser -# using the system-installed tor daemon and with sane firewall rules set. -HashedControlPassword 16:756491A440833A1B609F2CCC095BFD2769A1634B4BEC4214BAA9E20629 |