[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Filtering traffic from your node - for exit points

Up to now I thought it was impossible to filter out what tor users do from our tor exit nodes. A little experimentation later I've found a way how to limit what users can or cannot do. Please do check if filtering content is legal according to the laws of your country. Personally I have decided that I'd rather be investigated because of filtering illegal materials than to be investigated because I was helping a criminal. Do whatever you wish with the information provided. You may not like the filtering - but every exitpoint operator can decide for himself what he wants to do.

You will need:

- a Linux server, running iptables (with iptables and iptable_nat support) and with universal tun/tap support
    . Check your .config for CONFIG_TUN=[m|y] for tun/tap support
    . Check your .config for CONFIG_IP_NF_NAT=[m|y] for NAT support
    . http://www.netfilter.org/projects/iptables/files/iptables-1.3.8.tar.bz2
        
- tunctl
    . (google for tunctl.c ; gcc tunctl.c -o tunctl )

- squid (tested with 2.6STABLEx)
    . You can fetch it from http://www.squid-cache.org

- dansguardian (tested with 2.9.x.x)
    . Fetch it from http://dansguardian.org/
    
- blacklists from http://www.urlblacklist.com/
    . You are allowed one free download, if you find their
      service useful, please subscribe.
      
- an IP from a private subnet you're not using (for this example, we'll use 192.168.253.1/24)

- to ensure that neither squid nor dansguardian are accessible from the Internet
    
1) Create the tunnel device where tor will make it's outbound connections from

# modprobe tun
# tunctl
# ifconfig tap0 192.168.253.1 netmask 255.255.255.0

2) Disable access to both squid and dansguardian from the Internet.

I will be using port 3128 for squid, and 8080 for dansguardian (default settings - you can alter them if you wish). In my setup ppp0 is where the Internet is connected to my tor node, so (if eth1 is your public interface, substitute eth1 for ppp0):

# iptables -I INPUT -s ppp0 -p tcp --dport 8080 -j DROP
# iptables -I INPUT -s ppp0 -p tcp --dport 3128 -j DROP

3) Install squid (compile if necessary, you won't need any special configuration switches) and before running squid change the following in your squid.conf (it will be either in /etc/squid/squid.conf or /usr/local/squid/etc/squid.conf):

"http_port 3128" -> "http_port 3128 transparent"
    It will now be able to act as a transparent proxy
    
"cache_mem 8M" -> whatever you want it to be
    If you have RAM to spare it should speed things a bit up.
    
"maximum_object_size 4096 KB" -> "maximum_object_size 1 KB"
    Or you'll end up with user's content in your cache - which I don't want.
    
"http_access allow manager localhost" -> "#http_access allow manager localhost"
    Dansguardian will be accessing squid with the source IP of 127.0.0.1, so in this way we disable the access to the manager.
    
And add

"http_access allow localhost" into the squid.conf, but do make sure it comes before the "http_access deny all" directive.

4) Install dansguardian. (if you need to compile it from the tarball - again, there's no special directives you need). Your configuration should be in /etc/dansguardian/ or /usr/local/etc/dansguardian/.

5) Fetch the Blacklist from http://www.urlblacklist.com/ (Remember, only the first download is free. Be nice, don't abuse the service.). Unpack them into /etc/dansguardian/lists/blacklists (or /usr/local/etc/dansguardian/lists/blacklists). The ./lists/blacklists folder should already exist in the dansguardian configuration directory.

6) Configure dansguardian.conf:

"filterport = 8080"
"proxyip = 127.0.0.1"
"proxyport = 3128"

"maxuploadsize = 16"
(to disable the spreading of unwanted materials over your node - 16kB of POST data should be enough for most of legal uses).

Unless you want antivirus scanning of transferred files also disable all contentscanners ("#contentscanner = ...")
For most uses you will also need to disable the authplugins ("#authplugin = ").
If you want to disable logging (please check your laws what you can or cannot do: "nologger = on")

7) Configure dansguardianf1.conf: (this is the configuration for the 1st (and probably only) group on your server)
Do check, that the criteria by which you want to filter are uncommented (ie, no # at the start of the line). I suggest leaving all of them on.

8) Configure lists/bannedextensionlist:

.asx  # Windows Media Audio / Video
.rar  # Similar to zip
.mp3  # Music file
.mpeg # Movie file
.mpg  # Movie file
.avi  # Movie file
.asf  # this can also exploit a security hole allowing virus infection
.iso  # CD ISO image
.ogg  # Music file
.wmf  # Movie file
.bin # CD ISO image
.cue # CD ISO image

9) Configure lists/bannedmimetypelist:

audio/mpeg
audio/x-mpeg
audio/x-pn-realaudio
audio/x-wav
video/mpeg
video/x-mpeg2
video/x-msvideo
video/msvideo
application/gzip
application/x-gzip
application/zip
application/compress
application/x-compress
#application/java-vm

10) Configure lists/bannedphraselist: (watch out for /etc/dansguardian vs. /usr/local/etc/dansguardian)

.Include</usr/local/etc/dansguardian/lists/phraselists/pornography/banned>

11) Configure lists/bannedurllist: (mine looks like this, again watch out for /etc/dansguardian vs. /usr/local/etc/dansguardian)
.Include</usr/local/etc/dansguardian/lists/blacklists/adult/urls>
.Include</usr/local/etc/dansguardian/lists/blacklists/aggressive/urls>
.Include</usr/local/etc/dansguardian/lists/blacklists/audio-video/urls>
.Include</usr/local/etc/dansguardian/lists/blacklists/hacking/urls>
.Include</usr/local/etc/dansguardian/lists/blacklists/porn/urls>
.Include</usr/local/etc/dansguardian/lists/blacklists/proxy/urls>
.Include</usr/local/etc/dansguardian/lists/blacklists/violence/urls>
.Include</usr/local/etc/dansguardian/lists/blacklists/virusinfected/urls>
.Include</usr/local/etc/dansguardian/lists/blacklists/warez/urls>

12) Now alter your torrc (either /etc/torrc or /usr/local/etc/torrc) and add the following line to the configuration:

OutboundBindAddress 192.168.253.1

Do not restart tor just yet.

13) Start up squid and dansguardian. Set your browser's proxy setting to <your_private_IP>:8080 and try whether the proxy system works as desired. If your dansguardian is not listening on port 8080, alter your browser settings accordingly.

14) If you're happy with how things look, we can redirect tor to use our proxy setup.

# iptables -t nat -I OUTPUT -s 192.168.253.1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:8080
# iptables -t nat -I OUTPUT -s 192.168.253.1 -p tcp --dport 443 -j DNAT --to 192.168.0.1:8080

(192.168.0.1 is the private IP of my server, and my exit policy contains only ports 80 and 443 - if you need to alter it, I'm pretty sure you know how you can do it).

15) You can restart tor now.

If everything is working fine, you will filter content you don't deem appropriate. Please do check your laws whether you can log, should log, or are prohibited to log. Filtering per se should not be a problem (but do check about that too). You are configuring your server in this way at your own risk - there are no guarantees that this will work or that it is allowed under your laws - but I'm pretty sure it will at least limit what people can do to some reasonable traffic.

Don't forget the side effect - that the more questionable material we filter the more remains to be used in legal ways.

D.

Pinpoint customers who are looking for what you sell.