[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor



#5741: TBB proxy bypass: Some DNS requests not going through Tor
-----------------------------------------+----------------------------------
    Reporter:  cypherpunks               |       Owner:  erinn          
        Type:  defect                    |      Status:  closed         
    Priority:  blocker                   |   Milestone:                 
   Component:  Tor bundles/installation  |     Version:                 
  Resolution:  fixed                     |    Keywords:  MikePerry201205
      Parent:                            |      Points:  3              
Actualpoints:  3                         |  
-----------------------------------------+----------------------------------

Comment(by unknown):

 Replying to [comment:21 mikeperry]:

 > For people who use layered defenses: Please add iptables rules/AppArmor
 rules/whatever rules that LOG violations so we can learn about them.

 I check following corrected steps:

 === Prevent and LOG any potential DNS-leakage with iptables (Debian
 GNU/Linux way) ===
 Edit /etc/login.defs, replace "ENCRYPT_METHOD DES" to "ENCRYPT_METHOD
 SHA-512"
 #default DES is equivalent to 8-symbols passwords for groups and insecure

 Run command for create system tbb-group with password and without shell:

 `addgroup --system tbb-tor`

 Check that you use rsyslog and not a syslog daemon:

 `dpkg -L rsyslog`

 or install it:

 `apt-get install rsyslog`

 Create a file /etc/rsyslog.d/iptables.conf with the following contents:

 {{{

 :msg, contains, "iptables" -/var/log/iptables.log
 & ~

 }}}
 Create a file /etc/logrotate.d/iptables with the following contents:

 {{{
 /var/log/iptables.log{

 ÂÂÂ daily
 ÂÂÂ rotate 5
 ÂÂÂ missingok
 ÂÂÂ notifempty
 ÂÂÂ delaycompress
 ÂÂÂ compress
 ÂÂÂ postrotate
 ÂÂÂ ÂÂÂ invoke-rc.d rsyslog reload > /dev/null
 ÂÂÂ endscript

 }
 }}}
 Restart syslog:

 `/etc/init.d/rsyslog restart`

 Add this rules to your firewall script and restart it:

 {{{
 $IPTABLES -t nat -A OUTPUT -o lo -j RETURN
 $IPTABLES -t nat -A OUTPUT -d 127.0.0.1 -j RETURN

 #tor anonymous users;

 DIRECT_OUT_GID="tbb-tor" #group id for TBB

 TOR_UID="debian-tor" #system tor (if you use it)
 # with options:
 # AutoMapHostsOnResolve 1
 # TransPort 9040
 # DNSPort 53

 ANONYMOUS_UID="toranonymoususer" #if you use anonymous transparent
 torification to system tor

 #anonymous user runs programs with transparent torification to system tor
 #(if you use it):

 $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner $ANONYMOUS_UID !
 --gid-owner $DIRECT_OUT_GID -m tcp --syn  -j REDIRECT --to-ports 9040
 $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner $ANONYMOUS_UID !
 --gid-owner $DIRECT_OUT_GID -m udp --dport 53 -j REDIRECT --to-ports 53

 $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $ANONYMOUS_UID ! --gid-
 owner $DIRECT_OUT_GID  -j LOG --log-prefix "iptables $ANONYMOUS_UID
 redirect" #some potential leakages redirected to localhost and  not going
 away
 $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $ANONYMOUS_UID ! --gid-
 owner $DIRECT_OUT_GID  -j DNAT --to-destination 127.0.0.1

 #Accept output for system-tor itself (if you use it)
 $IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT

 #Direct output for TBB without udp and tcp 53 port
 $IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID ! -p tcp -j LOG
 --log-prefix "iptables tbb reject: "
 $IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID ! -p tcp -j
 REJECT

 $IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID -p tcp --dport
 53 -j LOG --log-prefix "iptables tbb reject: "
 $IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID -p tcp --dport
 53 -j REJECT

 $IPTABLES -A OUTPUT -m owner  --gid-owner $DIRECT_OUT_GID -j ACCEPT
 }}}
 Run tor-browser with sg from x-terminal emulator:

 `sg tbb-tor -c start-tor-browser.sh`

 Watch /var/log/iptables.log with your favorite parser.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5741#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs