Re: Yet another UDP / DNS quiestion...
Yes if you redirect DNS requests to Tor's DNSPort you should be safe against DNS leaks. Do I have to use AutomapHostsOnResolve 1 as well? Seems to be pointless without defining AutomapHostsSuffixes. I guess you are talking about a local setup without a middlebox involved. If my assumption is correct you want to refer to the following section in the document: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy#LocalRedirectionThroughTor Thanks for clarifying that! Now I need to read some more about iptables. One more question: will those rules route all UDP traffic to port 53 or just DNS requests? What will happen with UDP not relating to DNS? -- Tomasz Moskal ramshackle.industr...@gmail.com Encrypted mail preferred. Key ID: 2C323C82 signature.asc Description: This is a digitally signed message part
Re: Yet another UDP / DNS quiestion...
On 02/13/2011 03:20 PM, Tomasz Moskal wrote: Do I have to use AutomapHostsOnResolve 1 as well? Seems to be pointless without defining AutomapHostsSuffixes. No it is not pointless because also if you do not use AutomapHostsSuffixes in your config .exit and .onion are AutomapHostsSuffixes per default. One more question: will those rules route all UDP traffic to port 53 or just DNS requests? What will happen with UDP not relating to DNS? The UDP rules in the LocalRedirectionThroughTor section: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy#LocalRedirectionThroughTor redirect only UDP packets with destination port 53 (usually DNS requests) to the DNSPort. All other outgoing UDP traffic is blocked/rejected with the last rule: iptables -A OUTPUT -j REJECT The penultimate rule: iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT would allow a program running with the $TOR_UID to send UDP traffic. I will suggest to add -p tcp to that rule. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Yet another UDP / DNS quiestion...
On 02/13/2011 05:21 PM, Tomasz Moskal wrote: OK, so to wrap it all up last (hopefully!) couple of questions... iptables script/rules set: #!/bin/sh # the UID Tor runs as TOR_UID=109 iptables -F iptables -t nat -F # Redirects DNS traffic to the local port 53 iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 # Allow a program running with the $TOR_UID to send UDP traffic iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT Why did you add -p udp here? Tor uses TCP. # Block/reject all outgoing UDP traffic iptables -A OUTPUT -j REJECT This rule does not block UDP only, it rejects all traffic including UDP (if a packets makes its way to the last line). If this is your full iptables setup it doesn't make much sense to me. You might have misunderstood my earlier reply. But lets go one step back: I'm wondering why one would want to setup DNSPort configuration without TransPort. I see two obvious use cases but neither matches yours: scenario 1) firefox+polipo+torbutton enabled in such a setup there is no need for DNSPort + iptables if you are only worried about firefox traffic scenario 2) you want to route all TCP traffic through Tor: setup includes TransPort + DNSPort Setup (to prevent DNS leaking) + iptables rules + Torbutton (transparent torification setting) Could you describe your use case + thread model? On my machine Tor seems to have different UID after each restart (at least this is what ps -A | grep -w tor tells me). How I can force it to use always the same UID? According to this thread http://ubuntuforums.org/showthread.php?t=800066a I can't change it when Tor is already running so my guess is I should force it to use chosen UID before it will even start. I wonder why your uid should be different everytime you reboot, but you can also use the name of the user instead of the numerical value. I couldn't find (man iptables) nothing about -m owner - should I replace owner with my login or it is to match Tor through --uid-owner $TOR_UID? The word 'owner' after -m is _not_ a variable that needs to be replaced. It is the match extension module name. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Yet another UDP / DNS quiestion...
Could you describe your use case + thread model? I'm terrible sorry for chaos I'm causing but right now I'm a very small and confused person :-) Let me start from the beginning... I'm using Privoxy + Tor combination. For Privoxy to properly handle TCP/HTTP requests and send them over Tor network I have listen-address 127.0.0.1:8118 in my /etc/privoxy/config. Then, to make sure that Privoxy will be used globally, I added those four lines to /etc/environment: http_proxy=http://127.0.0.1:8118/; https_proxy=https://127.0.0.1:8118/; HTTP_PROXY=$http_proxy HTTPS_PROXY=$https_proxy Now all TCP/HTTP traffic should go through Privoxy - Tor combination, at least in theory. As I understand Wireshark is the tool I should use to verify if that is what is happening in reality. I compiled Wireshark but don't understand yet how to use it so I will come back to verify routing of TCP/HTTP when I understand what I'm doing. Next, I tried to use torsocks to make sure UDP/DNS requests are resolved through Tor. To accomplish that I added to /etc/privoxy/config forward-socks4a / 127.0.0.1:9050 . forward-socks5 /127.0.0.1:9050 . My /etc/torsocks.conf looks like this: local = 127.0.0.0/255.128.0.0 local = 127.128.0.0/255.192.0.0 local = 169.254.0.0/255.255.0.0 local = 172.16.0.0/255.240.0.0 local = 192.168.0.0/255.255.0.0 server = 127.0.0.1 server_port = 9050 But I have two problems with using torsocks: 1. Not all applications seems to be working with it, for example when I try usewithtor empathy I'm getting Segmentation fault. Which is probably due to the problems with rejecting UDP: torsocks allows you to use most socks-friendly applications in a safe way with Tor. It ensures that DNS requests are handled safely and explicitly rejects UDP traffic from the application you're using. (from https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorifyHOWTO) 2. I would need to usewithtor every single application on my system to make sure DNS requests are resolved through Tor. Then I came around Transparently Routing Traffic Through Tor https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy. And this is where more confusion and problems started! What I want to achieve with this wiki is to make sure all UDP/DNS request will be send through Tor. Now I intend to follow Local Redirection Through Tor from mentioned wiki to the letter and that will hopefully resolve the case of leaking DNS. # Block/reject all outgoing UDP traffic iptables -A OUTPUT -j REJECT This rule does not block UDP only, it rejects all traffic including UDP (if a packets makes its way to the last line). So if I will go ahead with set-up from Local Redirection Through Tor it will allow out just the traffic going through Tor stopping any and every kind of no-Tor traffic from leaving my machine. But if I want to allow traffic from certain applications I could do it by setting up exception in iptables, right? And furthermore, with this solution there will be no need for me to use torsocks any more, yes? iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT Why did you add -p udp here? Tor uses TCP. My mistake! Fixed now. I'm wondering why one would want to setup DNSPort configuration without TransPort. That will be lack of knowledge on my part, I missunderstood informations from wiki. I got confused by this comment http://www.hermann-uwe.de/blog/howto-anonymous-communication-with-tor-some-hints-and-some-pitfalls#comment-80205 which doesn't mention TransPort and thus I thought it is not necessary. I wonder why your uid should be different everytime you reboot, but you can also use the name of the user instead of the numerical value. Well I can't tell you why but that how it is. To double check I rebooted twice just now and ps -A | grep -w tor each time gave me different UID for tor. -- Tomasz Moskal ramshackle.industr...@gmail.com Encrypted mail preferred. Key ID: 2C323C82 signature.asc Description: This is a digitally signed message part
Re: Yet another UDP / DNS quiestion...
On Sun, 13 Feb 2011 18:50:19 + Tomasz Moskal ramshackle.industr...@gmail.com wrote: I wonder why your uid should be different everytime you reboot, but you can also use the name of the user instead of the numerical value. Well I can't tell you why but that how it is. To double check I rebooted twice just now and ps -A | grep -w tor each time gave me different UID for tor. That's a process ID, not a user ID. Robert Ransom signature.asc Description: PGP signature
Re: Yet another UDP / DNS quiestion...
On Sun, 2011-02-13 at 11:04 -0800, Robert Ransom wrote: That's a process ID, not a user ID. Arrrgh! My brain is slowly melting. I think what I will do now is to give up on Tor and attempts to understand it. I will explore more how to properly and effectively use Linux. Then I shall delve some more into basic concepts behind Internet Protocols and THEN, just then, I will come back to Tor. Well, see you folks in a year or two! -- Tomasz Moskal ramshackle.industr...@gmail.com Encrypted mail preferred. Key ID: 2C323C82 signature.asc Description: This is a digitally signed message part
Re: Yet another UDP / DNS quiestion...
On 02/12/2011 05:30 AM, Tomasz Moskal wrote: I was reading Transparently Routing Traffic Through Tor https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy and although I don't need to run Tor as transparent proxy I like the idea of routing the UDP/DNS requests to localhost. If I will reroute all those requests with iptables to the port on which Tor is listening I should have no problems with DNS leaking, right? Yes if you redirect DNS requests to Tor's DNSPort you should be safe against DNS leaks. 3. iptables iptables -t nat -A OUTPUT -o lo -j RETURN iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT iptables -A OUTPUT -j REJECT I guess you are talking about a local setup without a middlebox involved. If my assumption is correct you want to refer to the following section in the document: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy#LocalRedirectionThroughTor as far as I can see you copied parts of the iptables rules from the middlebox setup from this section: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy#LocalRedirectionandAnonymizingMiddlebox *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Yet another UDP / DNS quiestion...
I feel that I should explain something before I start asking any questions so here we go: I'm a fresh convert to Linux (barely few week on Ubuntu!) and as much as I'm fascinated by the matters relating to networking, security and anonymity in equal measure I'm intimidated by them. I don't posses any deep knowledge of those topics, I still barely can handle the basics. But with the wealth of knowledge out there and a healthy dose of experimentation I intend to change this. So if my questions are naive (or plainly stupid) please bear in mind that I'm new here. And now for what is bordering me... I was reading Transparently Routing Traffic Through Tor https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy and although I don't need to run Tor as transparent proxy I like the idea of routing the UDP/DNS requests to localhost. If I will reroute all those requests with iptables to the port on which Tor is listening I should have no problems with DNS leaking, right? That should do the trick then: 1. torrc DNSPort 53 DNSListenAddress 127.0.0.1 2. resolv.conf nameserver 127.0.0.1 3. iptables iptables -t nat -A OUTPUT -o lo -j RETURN iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT iptables -A OUTPUT -j REJECT I'm not an expert regarding iptables and 'man iptables' is *very* frightening for someone who barely slides on the surface of all this. From steep three above I sort of understand purpose of rules three and four but rest of them... Are they needed in this example or they can be safely omitted? If in fact they are required for this set-up to work what is their purpose? I will of course replace $INT_IF and $TOR_UID with required values. -- Tomasz Moskal ramshackle.industr...@gmail.com Encrypted mail preferred. Key ID: 2C323C82 signature.asc Description: This is a digitally signed message part