Re: Iptables configuration for a transparent proxy for a singleuser
unknown wrote: > > INET_IFACE=eth0 #our internet interface > > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9050 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 9040 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 53 -j DROP > $IPTABLES -A INPUT -i $INET_IFACE -p UDP --dport 53 -j DROP > # Block incoming traffic for this ports from outside. > # Tor already ignore non-local connections by default. > > > $IPTABLES -t nat -A OUTPUT -o lo -j RETURN > $IPTABLES -t nat -A OUTPUT -d 127.0.0.1 -j RETURN > # Pass direct connection to localhost services. > # We can trying use privoxy at first before redirecticting unfiltered traffic > to Tor. > > > TOR_UID=debian-tor > #see tor uid in file: > #tor:x:XXX:YYY::/var/lib/tor) > > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN > $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user -m tcp > --syn \ > -j REDIRECT --to-ports 9040 > $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user -m udp > --dport 53 \ > -j REDIRECT --to-ports 53 > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT > # Transparent redirection of the traffic to Tor for tornet_user > > > # $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DROP > # This rule will not working anymore in new iptables. > > > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user -j DNAT \ > --to-destination 127.0.0.1 > # Use DNAT instead of nat > # Any traffic from tornet user if not redirected to tor, redirected to > localhost. > # If no services in localhost can accept this traffic than this packets dying > quietly in our localhost. > > I test this rules with sniffer and cannot see any DNS leakage and everithing > is works fine. > Any possible vulnerabilities here? Rather than to just DNATing all un-REDIRECTed traffic of tornet_user to local host, I wonder whether it would be safer to direct udp & tcp traffic to a particular port where you explicitly DROP (or REJECT) it. Something along the lines of: DROPDEAD=12345 $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user \ -j REDIRECT --to-port $DROPDEAD $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user \ -j REDIRECT --to-port $DROPDEAD $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user \ -j REDIRECT $IPTABLES -A INPUT -p tcp --dport $DROPDEAD -j DROP $IPTABLES -A INPUT -p udp --dport $DROPDEAD -j DROP (BTW, DNATing to localhost for a locally generated packet is the same as REDIRECT.) Also, it looks to me like the following rule is not needed, as any packets that would match have already been RETURNed. $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
Re: Iptables configuration for a transparent proxy for a single user
On Fri, May 15, 2009 at 2:00 PM, unknown wrote: >... Any possible vulnerabilities here? make sure control port is disabled or properly authenticated; otherwise a good setup. an improvement is white listing Tor process with direct access and all other traffic is transparently re-routed through Tor. this protects against attacks where embedded content or network filesystem based URIs are used to initiate requests through a kernel subsystem or other process not associated with the anonymous Tor network user. (this is a relevant issue on Windows, less so unix like systems) best regards,
Re: TOR and HADOPI
On Sat, 2009-05-16 at 10:05 +0200, Noiano wrote: > cha...@gmail.com wrote: > > Hello, > > > > Is anyone know where find an "how to use TOR against HADOPI" ? > > > > (Hadopi is the new law in france about P2P: if you download some music > > or movie with a P2P system, the provider will send you a mail to say > > stop; if you continue, they send a real letter and after, they stop > > your connexion and FINE you (and you will continue to pay provider but > > you will have no right to have an internet connexion :-(( ) > > -http://www.p2pnet.net/story/21764 - ) > > > > Thanks > > You'd better use some VPN service like IPREDator (info here > http://arstechnica.com/telecom/news/2009/03/the-pirate-bay-to-roll-out-secure-vpn-service.ars). > Tor is not suitable for P2P. > > Noiano You could also try i2p for torrents / emule. If you're running Deluge, you can set peer, tracker, webseed, and DHT proxies independently, so you could use i2p for the actual data and Tor for the tracker (that is a supported p2p use of Tor). You could also switch your P2P to GNUnet, which, while young, shows a lot of promise IMO. signature.asc Description: This is a digitally signed message part
Re: TOR and HADOPI
cha...@gmail.com wrote: > Hello, > > Is anyone know where find an "how to use TOR against HADOPI" ? > > (Hadopi is the new law in france about P2P: if you download some music > or movie with a P2P system, the provider will send you a mail to say > stop; if you continue, they send a real letter and after, they stop > your connexion and FINE you (and you will continue to pay provider but > you will have no right to have an internet connexion :-(( ) > -http://www.p2pnet.net/story/21764 - ) > > Thanks You'd better use some VPN service like IPREDator (info here http://arstechnica.com/telecom/news/2009/03/the-pirate-bay-to-roll-out-secure-vpn-service.ars). Tor is not suitable for P2P. Noiano signature.asc Description: OpenPGP digital signature