From 09f88f126bea0e4858f7a193987fea86b23140fa Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 28 Nov 2020 21:09:48 -0300 Subject: Fix: provision: some refatoring, moving things to trashman --- .../etc/network/if-pre-up.d/iptables | 58 ---------------------- 1 file changed, 58 deletions(-) delete mode 100755 share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables (limited to 'share/provision/files/tor-transproxy/etc/network') diff --git a/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables b/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables deleted file mode 100755 index 68e4501..0000000 --- a/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash -# -# Based on https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html -# See also: -# -# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy -#- https://askubuntu.com/questions/324685/how-to-route-all-internet-traffic-through-tor-the-onion-router -#- https://tor.stackexchange.com/questions/12343/use-iptables-to-force-traffic-through-tor -#- https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/ -#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf -#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/tor/torrc -#- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver -#- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor - -# Parameters -IPTABLES=/sbin/iptables -TOR_UID=`id -u debian-tor` -NETWORK_USER_ID=1000 - -# Clear existing rules -$IPTABLES -F INPUT || exit -$IPTABLES -F OUTPUT || exit -$IPTABLES -t nat -F || exit - -# Transproxy rules for Tor -$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 || exit -$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5353 || exit - -# Allow Tor, _apt, root and the network user -$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit -$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT || exit -$IPTABLES -A OUTPUT -m owner --uid-owner root -j ACCEPT || exit -$IPTABLES -A OUTPUT -m owner --uid-owner _apt -j ACCEPT || exit -$IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit -$IPTABLES -A OUTPUT -j DROP || exit - -# Allow SSH -$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT || exit - -# Create INPUT firewall. Allow established connections and transproxy -$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit -$IPTABLES -A INPUT -i lo -j ACCEPT || exit # Transproxy output comes from lo -$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit -$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit -$IPTABLES -A INPUT -j DROP || exit - -# Avoid packet leaks -# https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html -#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP -#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP -#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid -iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP || exit -iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid || exit -iptables -A OUTPUT -m state --state INVALID -j DROP || exit -iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit -iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit -iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP || exit -iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP || exit -- cgit v1.2.3