[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: IPTables transparent configuration



Curt,

I will try and spur some discussion :)

I'm not also sure that forcing connections to the tor port will work. Take for example an http request... you are now forcing that to a tor port, which wants to talk socks right? I would have thought you would need some sort of transparent http proxy setup which was configured to use tor for its external comms?

Al


----- Reply message -----
From: "Curt Shaffer" <cshaffer@xxxxxxxxx>
Date: Tue, Nov 16, 2010 18:19
Subject: IPTables transparent configuration
To: <or-talk@xxxxxxxx>

I have been searching the documentation and Internet for days on this
setup. Let me give some background first.

In this network (172.16.10.0/24) I have a couple of clients. Their
default gateway is 172.16.10.1. This system is a Linux server.

The Linux server has a LAN IP of 172.16.10.1 and a "WAN" IP of
10.0.0.23. This server is also running TOR. The "WAN" IP address of
this system is actually being NATTED again by a firewall to an
external IP address.

I want all traffic on the 172.16.10.0/24 network to use this Linux
server as their default gateway. In that gateway, I want IPTables to
send all of the traffic from that subnet through TOR.

If use IPTables to NAT the addresses like this:

eth0=WAN
eth1=LAN

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT


General network connectivity works.

If I introduce TOR with IPTables like this:

iptables -t nat -A OUTPUT -p tcp -m tcp -j REDIRECT --to-ports 9040
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT

TOR connectivity works from the Linux server, but all of the clients
on the 172.16.10.0/24 network no longer work at all. No NAT to the
general Internet, no TOR, no nothing.

I'm thinking this may be an IPTables problem, but I wanted to post
this to this list just to see if anyone else has accomplished such a
setup. If you have, please let me know what I may be doing wrong. If
you need more detailed information, please ask.
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/