[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Anonymous/Nonymous Communication Coexisting?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ----- Original Message ----- From: "Marcel" <u-281@xxxxxxx> To: <or-talk@xxxxxxxxxxxxx> Sent: Wednesday, June 08, 2005 6:38 PM Subject: Re: Anonymous/Nonymous Communication Coexisting?


* maillist (maillist@xxxxxxxxxxxx) wrote:
Hi
I'm running Tor on my router (Debian Sid) that transparently proxies
connections through Tor. This way you dont need to configure any clients.

for http-traffic:
client - iptables (idenfication by ports and L7) - squid - privoxy -
tor -
server

and for everything else:
client - iptables - transsocks - tor - server

I'm controlling with iptables what gets  proxied and what not, everything
else is proxied through Tor expect VPN-connections and connections to
couple
of trusted servers. Udp, icmp and other protocols except tcp are dropped
at
the router. This way connections by software and games that "call home"
are
also proxied through Tor.

Markus

I'd be very happy to see an example of those iptable rules, Markus. Sounds pretty clever to me as a configuration.


I run in some problems with L7 so heres the rules without L7-classification (very simple, not scalable at all, written only for my enviroment):


#!/bin/sh

# 192.168.10.1 = router
# 192.168.10.10 = workstation to proxy
# 192.168.10.1:3128 = Squid
# 192.168.10.1:1211 = Transsocks


INCLUDE="192.168.10.10" EXCLUDE="192.168.0.0/16 127.0.0.1 10.12.77.0/24"


#Exceptions for exception in ${EXCLUDE} ; do iptables -t nat -A PREROUTING --dst ${exception} -j RETURN done

#Avoid feedback loops
#iptables -t nat -A PREROUTING -m owner --cmd-owner transocks -j RETURN

#Send to transocks
for host in ${INCLUDE} ; do
       #iptables -t nat -A PREROUTING -s ${host} -p tcp -j LOG --log-level
info --log-prefix "SOCKSify "
       iptables -t nat -A PREROUTING -s ${host} -d ! 192.168.10.1 -p
tcp --dport 80 -j REDIRECT --to-port 3128
       #iptables -t nat -A PREROUTING -s ${host} -p tcp --dport 80 -j
DNAT --to 192.168.10.1:3128
       iptables -t nat -A POSTROUTING -s ${host} -d 192.168.10.1 -j
SNAT --to-source 192.168.10.1
       iptables -t nat -A PREROUTING -s ${host} -p tcp -j
REDIRECT --to-port 1211
       iptables -t nat -A PREROUTING -s ${host} -j DROP
done

# Socksify traffic leaving this host:
#iptables -t nat -A OUTPUT -p tcp --syn -j PREROUTING


Markus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959
Comment: GnuPT 2.6.2.1 by EQUIPMENTE.DE

iD8DBQFCpx5q6fSN8IKlpYoRAnQyAJ4g3eIUnX0VHYeVzMPRjbY0TMNiXgCaA2BO
jUQM/oHm58WV9OTozLFXK3g=
=TQhR
-----END PGP SIGNATURE-----