[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
From: elrippo <elrippo@xxxxxxxxxxxxxxxxx>
Date: Sat, 29 Mar 2014 10:28:08 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 29 Mar 2014 05:41:39 -0400
In-reply-to: <CAJ5w9HX66rm6mZSb9vh3_en3+8wMdM50LU4FLczY2s3N7Q8-Vw@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20140328194312.GD31390@xxxxxxxxxxxxxx> <20140328213458.GE31390@xxxxxxxxxxxxxx> <CAJ5w9HX66rm6mZSb9vh3_en3+8wMdM50LU4FLczY2s3N7Q8-Vw@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Good Morning.

Running 2.5.3 on all interfaces with privoxy on a desktop could look like
this. Hope this helps :D

1.) /etc/tor/torrc

VirtualAddrNetworkIPv4 172.16.0.0/12
TransPort 9040
AutomapHostsOnResolve 1
DNSPort 9053



2.) /etc/privoxy/config

listen-address  localhost:8118
forward-socks4 / 127.0.0.1:9050 .
forward-socks4a / 127.0.0.1:9050 .
forward-socks5 / 127.0.0.1:9050 .
accept-intercepted-requests 1



3.) Iptables-Script

/etc/tor/anonymity.bash
#!/bin/bash
# Let us call this script anonymity.bash and do some netfilter rules on the
local machine.

# Load the Kernel modules
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_REJECT
modprobe xt_recent
modprobe ipt_mac

# Remove all rules
iptables -F
iptables -t nat -F
iptables -X

# Default Policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow Established and Related connetcions
iptables -A INPUT -i eth+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i wlan+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o wlan+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i usb+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o usb+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow localhostloop
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Ruleset for Tor Transparent Proxy and Privoxy
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner "debian-tor" -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 9053
iptables -t nat -A OUTPUT -p tcp -m tcp --syn --dport 80 -j REDIRECT --to-
ports 8118
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner "debian-tor" -j ACCEPT
for NET in 127.0.0.0/8; do
 iptables -A OUTPUT -d $NET -j ACCEPT
done
iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
iptables -A OUTPUT -j REJECT

# Restart TOR
/etc/init.d/tor restart

# Restart PRIVOXY
/etc/init.d/privoxy restart






Am Samstag, 29. März 2014, 01:00:31 schrieb Soul Plane:
> On Fri, Mar 28, 2014 at 5:34 PM, Mike Perry <mikeperry@xxxxxxxxxxxxxx>wrote:
> > Here's a set of rules to try both --ctstate and --state invalid, as well
> > as log which ones get hit, for testing purposes. Note the use of -A in
> > this case, for readability wrt ordering. These rules should come before
> > any other rule in the OUTPUT chain section of the firewall script you
> > use:
> >
> > #iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix
> > "Transproxy ctstate leak blocked: " --log-uid
> > iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
> > iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix
> > "Transproxy state leak blocked: " --log-uid
> > iptables -A OUTPUT -m state --state INVALID -j DROP
> >
> > iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
> > --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked:
> > "
> > --log-uid
> > iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
> > --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked:
> > "
> > --log-uid
> > iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
> > --tcp-flags ACK,FIN ACK,FIN -j DROP
> > iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp
> > --tcp-flags ACK,RST ACK,RST -j DROP
> >
> > It's likely only the first pair is needed, and you may want to comment
> > out the --ctstate LOG line as I did to limit noise for successfully
> > handled --ctstate INVALID DROP blocks.
> >
> > I did test this with the above repro method, and --ctstate INVALID did
> > appear sufficient by itself, but reports of any --ctstate DROP rule
> > bypass happening will be tremendously useful (which will result in the
> > later LOG lines being hit, and sending output to 'dmesg').
>
> I have an Ubuntu middlebox to torify. It uses TransListenAddress,
> TransPort. One interface accepts incoming traffic that will be torified.
> The connections to the tor network go out on the other interface which can
> access the internet unrestricted. I can't find the original directions I
> used to set it up. The Torbox page I have commented in my config now says
> it's been replaced by Whonix. I tried the wiki there but it doesn't load:
> http://sourceforge.net/p/whonix/wiki/ Does what you're saying apply to a
> setup like mine? Thanks
--
We don't bubble you, we don't spoof you ;)
Keep your data encrypted!
Log you soon,
your Admin
elrippo@xxxxxxxxxxxxxxxxx

Encrypted messages are welcome.
0x84DF1F7E6AE03644

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd
BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb
UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+
B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5
Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R
9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs
e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9
jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h
q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z
+rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI
KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB
tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs
cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7
uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd
U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW
oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s
IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb
BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI
kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/
axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM
XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi
dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ
qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU
1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY
s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz
f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc
ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich
O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt
7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5
KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB
FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN
LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv
5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ
MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos
UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC
AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo
N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L
WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs
9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj
1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW
r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU
3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T
An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr
9czR7kbpnXRwchgwXQn306NVWf37TgA8wpbnFTazZ38iOeqcb9oKprqnbgEdr3PN
OhKSlMTkzAqf3MEi2Fyua4BADMhS3oBwCRgDTlt6wquEytpNSlZaHnyiyIgOpekF
Uy5K3w8NhHqeifRPrNb/UcCbXtXz+puqIEZHMenpv6FRlTTKpdoHoVXSkp1TPMGN
/VaCiLbP4Z3xEw/9EbAJJkhmmx1Qw3ueoqc4h1MmhUtIdxSZ/oA9SjwlnY++zvaZ
6w1wTS4P+OUkETNDtItdpxXMJ9qfSy9voAQc2K43WMZCCmpPJYSdqaZZNPFj+Ne8
6FNtNKuUkXREybpHwlVAXnHzInmFOOM9RAmF70r3zEmKt77W1ztBLo2o9X79gPgL
u9ThgrH6Oc2k46n+9nc3joccr7miiX/bp976DNWcWdOYThiSSOCb8Zw9/Zs935i1
wUVkYTj24tmBH4H5ov9ib7RPmU21ru458RbUKG0ONAqBtAHNyXHzUnXsrke+D4VW
MI06YcXSk8YeYgQ8GxgHQc+W2bb8LIbKN1hEYJ0wzM62vKR2/Oiwuf8lXutIKTuz
+v7Vj1PQd66DGHsxtWRaWnr1c54JTL2wICHJYKFH4grp7864+GL/uQ1O/Z/XxVku
E1JQ/AnwBGU1M1S6otwWGWVRjzEzQtxsfcCEPvV/9td3FIFQAbGTPb+48XFU+TY9
8AlcXBlDzXq7c5f8Evn/oSIsZDt63K4HNTmMGqOTl/p1aA0e4eyX76LczY06rDP5
GMSNs+AHmYgZiS4RYhRUIvS9uLXMnnDAMYst0SDl2orDUUeHBTzu0rchyknBZMGP
p5wQuWQ9CFlV+dj3UYbrBwC1lTkAMXRG2vlhA0V0TZqos7A5D4VHgSUQQjE=otlL
-----END PGP PUBLIC KEY BLOCK-----

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
  - From: Mike Perry
- Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
  - From: Mike Perry
- Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
  - From: Soul Plane

Prev by Author: Re: [tor-talk] Introducing Torsion, hidden service IM with real-world ambition
Next by Author: [tor-talk] Another fake key for my email address
Previous by thread: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
Next by thread: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
Index(es):
- Author
- Thread