diff options
| author | intrigeri <intrigeri@boum.org> | 2012-01-07 15:23:47 +0100 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2012-11-11 23:11:17 +0100 |
| commit | 0c28fa636653f395c756f56c93f8c78fddfcee00 (patch) | |
| tree | 294bc78b7a707d6512a1b0a183f947af1a3c21df | |
| parent | 911cc18e594bb5a3ab642ebb24615a0447050c32 (diff) | |
| download | puppet-shorewall-0c28fa636653f395c756f56c93f8c78fddfcee00.tar.gz puppet-shorewall-0c28fa636653f395c756f56c93f8c78fddfcee00.tar.bz2 | |
Allow redirecting DNS requests to Tor for specific users or globally.
| -rw-r--r-- | README | 13 | ||||
| -rw-r--r-- | manifests/init.pp | 6 | ||||
| -rw-r--r-- | manifests/rules/torify/redirect_dns_to_tor.pp | 38 |
3 files changed, 56 insertions, 1 deletions
@@ -107,7 +107,18 @@ rejected. This is intentional: it does not make sense leaking -via DNS requests- network activity that would otherwise be torified. In that case you probably want to read proper documentation about such matters, enable the Tor DNS resolver and redirect DNS requests through -it. +it, + +either globally: + + shorewall::rules::torify::redirect_dns_to_tor { '-': } + +or for specific users: + + shorewall::rules::torify::redirect_dns_to_tor { ['bob', 'alice' ]: } + +The $tor_dns_host and $tor_dns_port variables must be set before +these defines are setup. Example ------- diff --git a/manifests/init.pp b/manifests/init.pp index f69a6f2..5c9b602 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -28,6 +28,12 @@ class shorewall { case $tor_transparent_proxy_port { '': { $tor_transparent_proxy_port = '9040' } } + case $tor_dns_host { + '': { $tor_dns_host = '127.0.0.1' } + } + case $tor_dns_port { + '': { $tor_dns_port = '8853' } + } if $tor_user == '' { $tor_user = $dist_tor_user ? { '' => 'tor', diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp new file mode 100644 index 0000000..9c71204 --- /dev/null +++ b/manifests/rules/torify/redirect_dns_to_tor.pp @@ -0,0 +1,38 @@ +define shorewall::rules::torify::redirect_dns_to_tor() { + + $user = $name + + $destzone = $shorewall::tor_dns_host ? { + '127.0.0.1' => '$FW', + default => 'net' + } + + $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$tcp_rule"]) { + shorewall::rule { + "$tcp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'tcp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + + $udp_rule = "redirect-udp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$udp_rule"]) { + shorewall::rule { + "$udp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'udp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + +} |