Re: Iptables configuration for a transparent proxy for a single user
Removing '-t nat' from the last rule should do what you need. Only the first two really need to be in the NAT table (because they are modifying the traffic, not filtering it). - John Brooks On Wed, May 13, 2009 at 11:15 PM, leandro noferini lnofe...@cybervalley.org wrote: Ciao a tutti, in tor wiki at the address http://wiki.noreply.org/noreply/TheOnionRouter/TransparentProxy#head-235f10e71909d609c46847c9f91efe8ed5168004 explains the way to apply a trasparent proxy for a specific user. The rules for iptables are iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -j REDIRECT --to-ports 9040 iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A OUTPUT -m owner --uid-owner anonymous -j DROP In my debian unstable linux (kernel 2.6.29 and iptables 1.4.3.2-2 from package) these rules don't work anymore and this is the message from iptables The nat table is not intended for filtering, the use of DROP is therefore inhibited. Does anyone know the changes needed tomake it work again? -- Ciao leandro Io non voglio sapere tutto, io voglio capire tutto
Re: Re: My tor exit node is gone from the node list?
This problem seems to be related to your port 8010. From some locations your node presents an SSL certificate on port 443 but not on 8010. You might want to ask your ISP why that is the case. (A workaround might be to switch your OR port from 8010 to 443, but let's try to figure out the reason for the original problem first.) I have spoken to my ISP, they're not aware of any routing errors and do not filter. From my limited testing from multiple locations, I can always reach the server. Port 443 is already in use by the Apache web server. Alexandru -- - www.posta.ro - Romanias first free webmail since 1998! _ - powered by www.posta.ro
Re: Iptables configuration for a transparent proxy for a single user
John Brooks ha scritto: Removing '-t nat' from the last rule should do what you need. Only the first two really need to be in the NAT table (because they are modifying the traffic, not filtering it). [...] iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -j REDIRECT --to-ports 9040 iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A OUTPUT -m owner --uid-owner anonymous -j DROP [...] Ok, now ipfilter does not complain but I cannot connect anymore. :-( I will investigate more. -- Ciao leandro Io non voglio sapere tutto, io voglio capire tutto pgppSuGTnmHH3.pgp Description: PGP signature
Re: Iptables configuration for a transparent proxy for a single user
leandro noferini ha scritto: [...] Ok, now ipfilter does not complain but I cannot connect anymore. :-( I will investigate more. I applied these rules for iptables (in this order): iptables -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --syn -j REDIRECT --to-ports 9040 iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53 iptables -A OUTPUT -m owner --uid-owner anonymous -j DROP that gave this firewall.rules (saved with iptables-save) # Generated by iptables-save v1.4.3.2 on Thu May 14 22:38:12 2009 *filter :INPUT ACCEPT [16071:6425763] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [15031:2354190] -A OUTPUT -m owner --uid-owner anonymous -j DROP COMMIT # Completed on Thu May 14 22:38:12 2009 # Generated by iptables-save v1.4.3.2 on Thu May 14 22:38:12 2009 *nat :PREROUTING ACCEPT [350:71565] :POSTROUTING ACCEPT [264:19517] :OUTPUT ACCEPT [264:19517] -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53 COMMIT # Completed on Thu May 14 22:38:12 2009 But now the user cannot connect anywhere and if I try to see what the configuration for iptables is I get this minchioncino:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) targetprot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt sourcedestination DROP all -- anywhere anywhereowner UID match anonymous I think this is not correct because all traffic coming from the user is dropped, right? -- Ciao leandro Io non voglio sapere tutto, io voglio capire tutto pgpcwJ0qSDCiI.pgp Description: PGP signature
Tor connection problems from within bundesagentur für arbeit net work
Hi folks!
I tried to set up a tor connection from within the bundesagentur für
arbeit network, but something seems to block the tor network access.
I introduced bridges in the torrc config file but it didn't change
anything. I'm still not able to connect.
Here is my latest torrc:
SocksListenAddress 127.0.0.1
UpdateBridgesFromAuthority 1
UseBridges 1
ControlPort 9051
Log notice stdout
HashedControlPassword
16:B12A2B34CCB5F7016007E3E940E131C208588769CC2C1353568E1C250F
Bridge 86.76.117.112:443 CFED61F1D08A81607AB99D9293107A831B714785
Bridge 85.25.147.200:9003 8EAB9AFB5EDA3E3E4AE579120410A2F2C23C7AD9
Bridge 195.131.125.133:443 9E0C6CD2E47FB4E0FED76807275FB0F68B463B5A
bridge 60.16.182.53:9001 c9111bd74a710c0d25dda6b35e181f1aa7911133
bridge 87.237.118.139:444 c18dde4804e8fcb48464341ca1375eb130453a39
bridge 60.63.97.221:443 ab5c849ed5896d53052e43966ee9aba2ff92fb82
bridge 62.47.154.148:443 55d8530e5ba7445390139d357063a082504ef0c2
bridge 216.9.190.124:443 9ed5cec4ad8c0e555a02a713540e5dbd96644ef3
bridge 193.19.77.145:444 03e175aea60ad6643ccb8bf22f1bb2b7b88c1c46
Here is the command line output of tor:
tor -f torrc
May 15 01:22:45.121 [notice] Tor v0.2.0.34 (r18423). This is experimental softwa
re. Do not rely on it for strong anonymity. (Running on Windows XP Service Pack
3 [workstation] {personal} {terminal services, single user})
May 15 01:22:45.171 [notice] Initialized libevent version 1.4.9-stable using met
hod win32. Good.
May 15 01:22:45.171 [notice] Opening Socks listener on 127.0.0.1:9050
May 15 01:22:45.171 [notice] Opening Control listener on 127.0.0.1:9051
May 15 01:22:46.202 [notice] I learned some more directory information, but not
enough to build a circuit: We have no network-status consensus.
And here is the output when using vidalia:
Mai 15 01:25:00.275 [Hinweis] Tor v0.2.0.34 (r18423). This is experimental
software. Do not rely on it for strong anonymity. (Running on Windows XP
Service Pack 3 [workstation] {personal} {terminal services, single user})
Mai 15 01:25:00.375 [Hinweis] Initialized libevent version 1.4.9-stable using
method win32. Good.
Mai 15 01:25:00.375 [Hinweis] Opening Socks listener on 127.0.0.1:9050
Mai 15 01:25:00.375 [Hinweis] Opening Control listener on 127.0.0.1:9051
Mai 15 01:25:31.199 [Hinweis] Renaming old configuration file to C:\Dokumente
und Einstellungen\Aaron.AARON-7BFA8B150\Anwendungsdaten\Vidalia\torrc.orig.2
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
Mai 15 01:25:34.895 [Hinweis] While fetching directory info, no running
dirservers known. Will try again later. (purpose 6)
I'm using Windows XP SP3, not firewalled. I have no idea how the
blocking takes place, but some websites are not reachable from within
this network (because the students are supposed to study, also in
their free time...).
Any ideas what to do to make it connect?
Thanks a lot!
Josua
unsubscribe
_ MSN 表情魔法书,改变你的对话时代! http://im.live.cn/emoticons/
Re: Tor connection problems from within bundesagentur für arbeit network
On Fri, May 15, 2009 at 02:00:23AM +0200, Josua Schmid wrote: Hi folks! I tried to set up a tor connection from within the bundesagentur für arbeit network, but something seems to block the tor network access. I introduced bridges in the torrc config file but it didn't change anything. I'm still not able to connect. Here is my latest torrc: SocksListenAddress 127.0.0.1 UpdateBridgesFromAuthority 1 UseBridges 1 ControlPort 9051 Log notice stdout HashedControlPassword 16:B12A2B34CCB5F7016007E3E940E131C208588769CC2C1353568E1C250F Bridge 86.76.117.112:443 CFED61F1D08A81607AB99D9293107A831B714785 Bridge 85.25.147.200:9003 8EAB9AFB5EDA3E3E4AE579120410A2F2C23C7AD9 Bridge 195.131.125.133:443 9E0C6CD2E47FB4E0FED76807275FB0F68B463B5A bridge 60.16.182.53:9001 c9111bd74a710c0d25dda6b35e181f1aa7911133 bridge 87.237.118.139:444 c18dde4804e8fcb48464341ca1375eb130453a39 bridge 60.63.97.221:443 ab5c849ed5896d53052e43966ee9aba2ff92fb82 bridge 62.47.154.148:443 55d8530e5ba7445390139d357063a082504ef0c2 bridge 216.9.190.124:443 9ed5cec4ad8c0e555a02a713540e5dbd96644ef3 bridge 193.19.77.145:444 03e175aea60ad6643ccb8bf22f1bb2b7b88c1c46 snip Does your network block ports other than 80 and 443 (http traffic)? You might try disabling bridges and adding FascistFirewall 1 to your configuration file to ensure that Tor only makes connections to web-related ports.
Re: unsubscribe
unsubscribe
TOR and HADOPI
Hello, Is anyone know where find an how to use TOR against HADOPI ? (Hadopi is the new law in france about P2P: if you download some music or movie with a P2P system, the provider will send you a mail to say stop; if you continue, they send a real letter and after, they stop your connexion and FINE you (and you will continue to pay provider but you will have no right to have an internet connexion :-(( ) - http://www.p2pnet.net/story/21764 - ) Thanks
