Feat: Provision: Tor Transproxy

3 files changed, 278 insertions, 0 deletions

diff --git a/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables b/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables
new file mode 100755
index 0000000..68e4501
--- /dev/null
+++ b/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables
@@ -0,0 +1,58 @@
+#!/bin/bash
+#
+# Based on https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
+# See also:
+#
+#  https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
+#- https://askubuntu.com/questions/324685/how-to-route-all-internet-traffic-through-tor-the-onion-router
+#- https://tor.stackexchange.com/questions/12343/use-iptables-to-force-traffic-through-tor
+#- https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/
+#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf
+#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/tor/torrc
+#- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver
+#- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor
+
+# Parameters
+IPTABLES=/sbin/iptables
+TOR_UID=`id -u debian-tor`
+NETWORK_USER_ID=1000
+
+# Clear existing rules
+$IPTABLES -F INPUT  || exit
+$IPTABLES -F OUTPUT || exit
+$IPTABLES -t nat -F || exit
+
+# Transproxy rules for Tor
+$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040    || exit
+$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5353 || exit
+
+# Allow Tor, _apt, root and the network user
+$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT         || exit
+$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT || exit
+$IPTABLES -A OUTPUT -m owner --uid-owner root -j ACCEPT             || exit
+$IPTABLES -A OUTPUT -m owner --uid-owner _apt -j ACCEPT             || exit
+$IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit
+$IPTABLES -A OUTPUT -j DROP                                         || exit
+
+# Allow SSH
+$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT || exit
+
+# Create INPUT firewall. Allow established connections and transproxy
+$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit
+$IPTABLES -A INPUT -i lo -j ACCEPT                                      || exit # Transproxy output comes from lo
+$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT    || exit
+$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid      || exit
+$IPTABLES -A INPUT -j DROP                                              || exit
+
+# Avoid packet leaks
+# https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
+#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
+#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
+#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid
+iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP                                                                                                    || exit
+iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid                                                  || exit
+iptables -A OUTPUT -m state --state INVALID -j DROP                                                                                                          || exit
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP                                                   || exit
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP                                                   || exit
diff --git a/share/provision/files/tor-transproxy/etc/tor/torrc b/share/provision/files/tor-transproxy/etc/tor/torrc
new file mode 100644
index 0000000..9e17ea9
--- /dev/null
+++ b/share/provision/files/tor-transproxy/etc/tor/torrc
@@ -0,0 +1,179 @@
+## Configuration file for a typical Tor user
+## Last updated 22 December 2007 for Tor 0.2.0.14-alpha.
+## (May or may not work for much older or much newer versions of Tor.)
+##
+## Lines that begin with "## " try to explain what's going on. Lines
+## that begin with just "#" are disabled commands: you can enable them
+## by removing the "#" symbol.
+##
+## See the man page, or https://www.torproject.org/tor-manual-dev.html,
+## for more options you can use in this file.
+##
+## Tor will look for this file in various places based on your platform:
+## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc
+
+
+## Default SocksPort
+SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort
+## SocksPort for Tails-specific applications
+SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort
+## SocksPort for the default web browser
+SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
+
+## Entry policies to allow/deny SOCKS requests based on IP address.
+## First entry that matches wins. If no SocksPolicy is set, we accept
+## all (and only) requests from SocksListenAddress.
+#SocksPolicy accept 192.168.0.0/16
+#SocksPolicy reject *
+
+## Logs go to stdout at level "notice" unless redirected by something
+## else, like one of the below lines. You can have as many Log lines as
+## you want.
+##
+## We advise using "notice" in most cases, since anything more verbose
+## may provide sensitive information to an attacker who obtains the logs.
+##
+## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
+#Log notice file /var/log/tor/notices.log
+## Send every possible message to /var/log/tor/debug.log
+#Log debug file /var/log/tor/debug.log
+## Use the system log instead of Tor's logfiles
+#Log notice syslog
+## To send all messages to stderr:
+#Log debug stderr
+
+## Uncomment this to start the process in the background... or use
+## --runasdaemon 1 on the command line. This is ignored on Windows;
+## see the FAQ entry if you want Tor to run as an NT service.
+#RunAsDaemon 1
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+#DataDirectory /var/lib/tor
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+ControlPort 9052
+ControlListenAddress 127.0.0.1
+
+############### This section is just for location-hidden services ###
+
+## Once you have configured a hidden service, you can look at the
+## contents of the file ".../hidden_service/hostname" for the address
+## to tell people.
+##
+## HiddenServicePort x y:z says to redirect requests on port x to the
+## address y:z.
+
+#HiddenServiceDir /var/lib/tor/hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+
+#HiddenServiceDir /var/lib/tor/other_hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+#HiddenServicePort 22 127.0.0.1:22
+
+################ This section is just for relays #####################
+#
+## See https://www.torproject.org/docs/tor-doc-relay for details.
+
+## A unique handle for your server.
+#Nickname ididnteditheconfig
+
+## The IP or FQDN for your server. Leave commented out and Tor will guess.
+#Address noname.example.com
+
+## Define these to limit the bandwidth usage of relayed (server)
+## traffic. Your own traffic is still unthrottled.
+## Note that RelayBandwidthRate must be at least 20 KB.
+#RelayBandwidthRate 100 KBytes  # Throttle traffic to 100KB/s (800Kbps)
+#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps)
+
+## Contact info to be published in the directory, so we can contact you
+## if your server is misconfigured or something else goes wrong.
+#ContactInfo Random Person <nobody AT example dot com>
+## You might also include your PGP or GPG fingerprint if you have one:
+#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com>
+
+## Required: what port to advertise for Tor connections.
+#ORPort 9001
+## If you need to listen on a port other than the one advertised
+## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the
+## line below too. You'll need to do ipchains or other port forwarding
+## yourself to make this work.
+#ORListenAddress 0.0.0.0:9090
+
+## Uncomment this to mirror directory information for others. Please do
+## if you have enough bandwidth.
+#DirPort 9030 # what port to advertise for directory connections
+## If you need to listen on a port other than the one advertised
+## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line
+## below too. You'll need to do ipchains or other port forwarding yourself
+## to make this work.
+#DirListenAddress 0.0.0.0:9091
+
+## Uncomment this if you run more than one Tor server, and add the
+## nickname of each Tor server you control, even if they're on different
+## networks. You declare it here so Tor clients can avoid using more than
+## one of your servers in a single circuit. See
+## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers
+#MyFamily nickname1,nickname2,...
+
+## A comma-separated list of exit policies. They're considered first
+## to last, and the first match wins. If you want to _replace_
+## the default exit policy, end this with either a reject *:* or an
+## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
+## default exit policy. Leave commented to just use the default, which is
+## available in the man page or at https://www.torproject.org/documentation.html
+##
+## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
+## for issues you might encounter if you use the default exit policy.
+##
+## If certain IPs and ports are blocked externally, e.g. by your firewall,
+## you should update your exit policy to reflect this -- otherwise Tor
+## users will be told that those destinations are down.
+##
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
+#ExitPolicy accept *:119 # accept nntp as well as default exit policy
+#ExitPolicy reject *:* # no exits allowed
+#
+################ This section is just for bridge relays ##############
+#
+## Bridge relays (or "bridges" ) are Tor relays that aren't listed in the
+## main directory. Since there is no complete public list of them, even if an
+## ISP is filtering connections to all the known Tor relays, they probably
+## won't be able to block all the bridges. Unlike running an exit relay,
+## running a bridge relay just passes data to and from the Tor network --
+## so it shouldn't expose the operator to abuse complaints.
+
+#ORPort 443
+#BridgeRelay 1
+#RelayBandwidthRate 50KBytes
+#ExitPolicy reject *:*
+
+
+################ Local settings ########################################
+
+## Torified DNS
+DNSPort 5353
+AutomapHostsOnResolve 1
+AutomapHostsSuffixes .exit,.onion
+
+## Transparent proxy
+TransPort 9040
+TransListenAddress 127.0.0.1
+
+## Misc
+AvoidDiskWrites 1
+
+## We don't care if applications do their own DNS lookups since our Tor
+## enforcement will handle it safely.
+WarnUnsafeSocks 0
+
+## Disable default warnings on StartTLS for email. Let's not train our
+## users to click through security warnings.
+WarnPlaintextPorts 23,109
+
+## Tor 0.3.x logs to syslog by default, which we redirect to the Journal;
+## but we have some code that reads Tor's logs and only supports plaintext
+## log files at the moment, so let's keep logging to a file.
+Log notice file /var/log/tor/log
diff --git a/share/provision/tor-transproxy b/share/provision/tor-transproxy
new file mode 100755
index 0000000..e80a382
--- /dev/null
+++ b/share/provision/tor-transproxy
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+#
+# Tor desktop provision example
+#
+# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published
+# by the Free Software Foundation, either version 3 of the License,
+# or any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Parameters
+DIRNAME="`dirname $0`"
+BASENAME="`basename $0`"
+HOSTNAME="$1"
+DOMAIN="$2"
+MIRROR="$3"
+APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y"
+
+# Dependencies
+$APT_INSTALL tor iptables
+
+# Firewall config
+sudo cp $DIRNAME/files/tor-transproxy/etc/network/if-pre-up.d/iptables /etc/network/if-pre-up.d/iptables
+sudo /etc/network/if-pre-up.d/iptables
+
+# DNS config
+echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf > /dev/null
+
+# Tor config
+sudo cp $DIRNAME/files/tor-transproxy/etc/tor/torrc /etc/tor/torrc
+sudo service tor restart