From 0c28fa636653f395c756f56c93f8c78fddfcee00 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 7 Jan 2012 15:23:47 +0100 Subject: Allow redirecting DNS requests to Tor for specific users or globally. --- README | 13 ++++++++- manifests/init.pp | 6 +++++ manifests/rules/torify/redirect_dns_to_tor.pp | 38 +++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 manifests/rules/torify/redirect_dns_to_tor.pp diff --git a/README b/README index 648eaf7..816ed48 100644 --- a/README +++ b/README @@ -107,7 +107,18 @@ rejected. This is intentional: it does not make sense leaking -via DNS requests- network activity that would otherwise be torified. In that case you probably want to read proper documentation about such matters, enable the Tor DNS resolver and redirect DNS requests through -it. +it, + +either globally: + + shorewall::rules::torify::redirect_dns_to_tor { '-': } + +or for specific users: + + shorewall::rules::torify::redirect_dns_to_tor { ['bob', 'alice' ]: } + +The $tor_dns_host and $tor_dns_port variables must be set before +these defines are setup. Example ------- diff --git a/manifests/init.pp b/manifests/init.pp index f69a6f2..5c9b602 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -28,6 +28,12 @@ class shorewall { case $tor_transparent_proxy_port { '': { $tor_transparent_proxy_port = '9040' } } + case $tor_dns_host { + '': { $tor_dns_host = '127.0.0.1' } + } + case $tor_dns_port { + '': { $tor_dns_port = '8853' } + } if $tor_user == '' { $tor_user = $dist_tor_user ? { '' => 'tor', diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp new file mode 100644 index 0000000..9c71204 --- /dev/null +++ b/manifests/rules/torify/redirect_dns_to_tor.pp @@ -0,0 +1,38 @@ +define shorewall::rules::torify::redirect_dns_to_tor() { + + $user = $name + + $destzone = $shorewall::tor_dns_host ? { + '127.0.0.1' => '$FW', + default => 'net' + } + + $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$tcp_rule"]) { + shorewall::rule { + "$tcp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'tcp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + + $udp_rule = "redirect-udp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$udp_rule"]) { + shorewall::rule { + "$udp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'udp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + +} -- cgit v1.2.3