On 08/07/2015 04:25 PM, Sunil Mohan wrote:> On 08/07/2015 04:09 PM, Petter Reinholdtsen wrote: >> >> [Sunil Mohan] >>> Can we not have Tor listen on 0.0.0.0:9050 even when transparent >>> proxying is enabled? >> >> Sure, but I am unsure how that will work with iptables redirects. >> > > Services (web, mumble, etc.) provided on FreedomBox should still be > accessible after enabling transparent proxy. To make this happen I > imagine that the transparent proxy iptables rule will exclude the > current host from the destination list for transparent proxying. > Something like: origin:any to destination:!currenthost -> proxy. > > If the rule is written in the FORWARDING table, I think a packet will > not enter the chain if it is meant for the localhost. However, I a bit > rusty on the topic. >
I have dug up a bit more and lightly read the TOr transparent proxy page[1]. The rules go into nat/PREROUTING chain in case of Anonymizing Middlebox case, go into OUTPUT chain in case of local redirection case or both. In case of the former services, rules can certainly be written such that traffic directed at local machine is ignored and remaining traffic transparently proxied. It is not a problem to listen on internal interfaces. I have submitted a patch to Plinth to setup Tor and listen on 0.0.0.0. Firewalld (already) only opens the port to internal interfaces and closes them for external interfaces. I have also submitted another patch to remove Tor configuration from freedombox-setup. With this I am marking this bug as patch available so it can be closed when then Plinth patch is committed. Links: 1) https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy -- Sunil
signature.asc
Description: OpenPGP digital signature
