From 480055af9dc335fb1b290b8ffb3a3548f879f3f5 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 23 Jan 2020 13:58:30 -0300 Subject: Feat: Provision: Tor Transproxy --- .../etc/network/if-pre-up.d/iptables | 58 +++++++ share/provision/files/tor-transproxy/etc/tor/torrc | 179 +++++++++++++++++++++ share/provision/tor-transproxy | 41 +++++ 3 files changed, 278 insertions(+) create mode 100755 share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables create mode 100644 share/provision/files/tor-transproxy/etc/tor/torrc create mode 100755 share/provision/tor-transproxy (limited to 'share') diff --git a/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables b/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables new file mode 100755 index 0000000..68e4501 --- /dev/null +++ b/share/provision/files/tor-transproxy/etc/network/if-pre-up.d/iptables @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Based on https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html +# See also: +# +# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy +#- https://askubuntu.com/questions/324685/how-to-route-all-internet-traffic-through-tor-the-onion-router +#- https://tor.stackexchange.com/questions/12343/use-iptables-to-force-traffic-through-tor +#- https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/ +#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf +#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/tor/torrc +#- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver +#- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor + +# Parameters +IPTABLES=/sbin/iptables +TOR_UID=`id -u debian-tor` +NETWORK_USER_ID=1000 + +# Clear existing rules +$IPTABLES -F INPUT || exit +$IPTABLES -F OUTPUT || exit +$IPTABLES -t nat -F || exit + +# Transproxy rules for Tor +$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 || exit +$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5353 || exit + +# Allow Tor, _apt, root and the network user +$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner root -j ACCEPT || exit +$IPTABLES -A OUTPUT -m owner --uid-owner _apt -j ACCEPT || exit +$IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit +$IPTABLES -A OUTPUT -j DROP || exit + +# Allow SSH +$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT || exit + +# Create INPUT firewall. Allow established connections and transproxy +$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit +$IPTABLES -A INPUT -i lo -j ACCEPT || exit # Transproxy output comes from lo +$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit +$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit +$IPTABLES -A INPUT -j DROP || exit + +# Avoid packet leaks +# https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html +#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP +#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP +#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid +iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP || exit +iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid || exit +iptables -A OUTPUT -m state --state INVALID -j DROP || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP || exit +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP || exit diff --git a/share/provision/files/tor-transproxy/etc/tor/torrc b/share/provision/files/tor-transproxy/etc/tor/torrc new file mode 100644 index 0000000..9e17ea9 --- /dev/null +++ b/share/provision/files/tor-transproxy/etc/tor/torrc @@ -0,0 +1,179 @@ +## Configuration file for a typical Tor user +## Last updated 22 December 2007 for Tor 0.2.0.14-alpha. +## (May or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See the man page, or https://www.torproject.org/tor-manual-dev.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc + + +## Default SocksPort +SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort +## SocksPort for Tails-specific applications +SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort +## SocksPort for the default web browser +SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests from SocksListenAddress. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +#DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort 9052 +ControlListenAddress 127.0.0.1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## A unique handle for your server. +#Nickname ididnteditheconfig + +## The IP or FQDN for your server. Leave commented out and Tor will guess. +#Address noname.example.com + +## Define these to limit the bandwidth usage of relayed (server) +## traffic. Your own traffic is still unthrottled. +## Note that RelayBandwidthRate must be at least 20 KB. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps) + +## Contact info to be published in the directory, so we can contact you +## if your server is misconfigured or something else goes wrong. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 1234D/FFFFFFFF Random Person + +## Required: what port to advertise for Tor connections. +#ORPort 9001 +## If you need to listen on a port other than the one advertised +## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the +## line below too. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORListenAddress 0.0.0.0:9090 + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you need to listen on a port other than the one advertised +## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line +## below too. You'll need to do ipchains or other port forwarding yourself +## to make this work. +#DirListenAddress 0.0.0.0:9091 + +## Uncomment this if you run more than one Tor server, and add the +## nickname of each Tor server you control, even if they're on different +## networks. You declare it here so Tor clients can avoid using more than +## one of your servers in a single circuit. See +## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers +#MyFamily nickname1,nickname2,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## available in the man page or at https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +################ This section is just for bridge relays ############## +# +## Bridge relays (or "bridges" ) are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even if an +## ISP is filtering connections to all the known Tor relays, they probably +## won't be able to block all the bridges. Unlike running an exit relay, +## running a bridge relay just passes data to and from the Tor network -- +## so it shouldn't expose the operator to abuse complaints. + +#ORPort 443 +#BridgeRelay 1 +#RelayBandwidthRate 50KBytes +#ExitPolicy reject *:* + + +################ Local settings ######################################## + +## Torified DNS +DNSPort 5353 +AutomapHostsOnResolve 1 +AutomapHostsSuffixes .exit,.onion + +## Transparent proxy +TransPort 9040 +TransListenAddress 127.0.0.1 + +## Misc +AvoidDiskWrites 1 + +## We don't care if applications do their own DNS lookups since our Tor +## enforcement will handle it safely. +WarnUnsafeSocks 0 + +## Disable default warnings on StartTLS for email. Let's not train our +## users to click through security warnings. +WarnPlaintextPorts 23,109 + +## Tor 0.3.x logs to syslog by default, which we redirect to the Journal; +## but we have some code that reads Tor's logs and only supports plaintext +## log files at the moment, so let's keep logging to a file. +Log notice file /var/log/tor/log diff --git a/share/provision/tor-transproxy b/share/provision/tor-transproxy new file mode 100755 index 0000000..e80a382 --- /dev/null +++ b/share/provision/tor-transproxy @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +# +# Tor desktop provision example +# +# Copyright (C) 2017 Silvio Rhatto - rhatto at riseup.net +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published +# by the Free Software Foundation, either version 3 of the License, +# or any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# Parameters +DIRNAME="`dirname $0`" +BASENAME="`basename $0`" +HOSTNAME="$1" +DOMAIN="$2" +MIRROR="$3" +APT_INSTALL="sudo LC_ALL=C DEBIAN_FRONTEND=noninteractive apt-get install -y" + +# Dependencies +$APT_INSTALL tor iptables + +# Firewall config +sudo cp $DIRNAME/files/tor-transproxy/etc/network/if-pre-up.d/iptables /etc/network/if-pre-up.d/iptables +sudo /etc/network/if-pre-up.d/iptables + +# DNS config +echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf > /dev/null + +# Tor config +sudo cp $DIRNAME/files/tor-transproxy/etc/tor/torrc /etc/tor/torrc +sudo service tor restart -- cgit v1.2.3