[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] almost success toward complete tor enforcement, need little help now



On Tue, Sep 18, 2012 at 8:44 AM, Raviji <raviji157@xxxxxxxxx> wrote:

> Dear list,
>
> I wonder if I can setup a box which provides complete traffic enforcement
> through tor.
> The tails project has encouraged me to work in that direction. With the
> tails documentations and with
> some online guide like
>
> https://cryptoanarchy.org/wiki/Build_your_own_livething
>
> I am able to setup my running debian system almost a tor encrypted box,
> with some small hitches which I belief can easily be solved with your
> technical guidance.
>
>
> obfsproxy issue
> =================
>
> I have installed tor,pdnsd,ttdnsd,obfsproxy,polipo,vidalia
> I have already collected the obfs IP address from a running tor bundle and
> then placed all those
> at /etc/tor/torrc. tor is running with obfs.
>
> [Q] How can I check online that obfs is functional ?
> https://check.torproject.org/ simply shows
> tor is running, but no obfs related information.
>
> polipo and firewall
> =====================
>
> Browsers configured to use polopo ( tor as parent) and the online check is
> successful (https://check.torproject.org/)
>
> [Q] Is polipo really fast ? I hardly see any advantage comparing direct
> tor connection with out polipo.
>
> [Q] What is the iptables rule to redirect all 80 and 443 traffic through
> polipo 8118 port ? Then no configuration is
> required at browser level.
>
> DNS and firewall
> =================
>
> I am using pdnsd (caching DNS proxy server) and ttdnsd ( udp to tcp
> converter )
>
> /etc/pdnsd.conf content with this:
>
> global {
>    perm_cache = 2048;
>    cache_dir = "/var/cache/pdnsd";
>    run_as = "pdnsd";
>    server_ip = 127.0.0.1;
>    status_ctl = on;
>    min_ttl = 15m;
>    max_ttl = 1w;
>    timeout = 120;
> }
>
> # Tor DNS resolver
> server {
>    label = "tor";
>    ip = 127.0.0.1;
>    port = 8853;
>    uptest = none;
>    exclude=".invalid";
>    policy=included;
>    proxy_only = on;
>    lean_query = on;
> }
> # ttdnsd
> server {
>    label = "ttdnsd";
>    ip = 127.0.0.2;
>    port = 53;
>    uptest = none;
>    exclude=".invalid",".exit",".onion";
>    policy=included;
>    proxy_only = on;
>    lean_query = on;
> }
>
>
> /etc/tor/torrc has
>
> DNSPort 8853
> AutomapHostsOnResolve 1
> AutomapHostsSuffixes .exit,.onion
>
> So ttdnsd running at port 53 at 127.0.0.2 and tor dns at 127.0.0.1 port
> 8853.
>
> But nmap shows ( #nmap -p 1-65535 localhost )
>
> PORT      STATE SERVICE
> 22/tcp    open  ssh
> 25/tcp    open  smtp
> 53/tcp    open  domain
> 111/tcp   open  rpcbind
> 631/tcp   open  ipp
> 8118/tcp  open  privoxy
> 9040/tcp  open  tor-trans
> 9050/tcp  open  tor-socks
> 9051/tcp  open  tor-control
>
> no open port for tor-dns
>
> [Q] How can I enforce all udp to go through local DNS port and which one
> 53 or 8853 ?
>
> <...>
> iptables -t nat -A OUTPUT ! -o lo -p udp -m udp --dport 53 -j REDIRECT
> --to-ports 53
> iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
> <...>
>
> is not working. Can't do any dns resolution, even ping failed to gmail.com
>
>
> iptables to route all traffic and blocked all non tor
> ======================================================
>
> LAN and lo (localhost) don't need to go through tor
>
> port 80/443 should go through poliop port 8118,
> all dns query should go through local 53 ( or 8853 ? ) port
>
> And the rest of the traffic should go through tor 9050 port, anything left
> should be dropped.
> The example iptables given at tails site is not working for me. Could
> anyone kindly give such a
> rule sets please ?
>
> Many many thanks for designing tor :-)
>
>
>
>
>
>

This was answered in your first post. Please check your first post and read
the post by:  adrelanos
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk