[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: IPTables transparent configuration
- To: "Curt Shaffer" <cshaffer@xxxxxxxxx>,or-talk@xxxxxxxx
- Subject: Re: IPTables transparent configuration
- From: "alpal.mailinglist@xxxxxxxxx" <alpal.mailinglist@xxxxxxxxx>
- Date: Wed, 17 Nov 2010 09:31:21 +0000
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Wed, 17 Nov 2010 04:31:32 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:to:from:subject :date:mime-version:content-type; bh=RN+fUrYfG8StTAc1QeIymL3GJaqdUahL4wLq5yf5T7k=; b=j9Yxrrjl+vgF/MimwaZKjkyVZ1X0a+o+FgvGqp8XwC++Oa18xspO2Gw4uwzqUBAXxX 2o3kRVon+tz+DVP1ncaRrmK2Mggg68tFHsstt94vDhU24MoCRlwaNshMtabdFYFAZnfz tdXvsZHD4Tl/aNNlGOlKEdPIVDJ24rZqRJGzA=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:to:from:subject:date:mime-version:content-type; b=JID4cb+jqp+CZxJm3zKgTnKKDv+LLEP3pwp4WEdR77/86Js0daQLYWj/0ZDBNtJdGL jkpi7piP41yfBLG+ateo/RxgX82N5IgTfFgmGi9sPQqJknuEnhAg6zwqBvIFg1bD4K4O 8fxJiUjMO3UnfmL+UGKc9RpOH7mXfj/12Sk00=
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
Curt,
I will try and spur some discussion :)
I'm not also sure that forcing connections to the tor port will work. Take for example an http request... you are now forcing that to a tor port, which wants to talk socks right? I would have thought you would need some sort of transparent http proxy setup which was configured to use tor for its external comms?
Al
----- Reply message -----
From: "Curt Shaffer" <cshaffer@xxxxxxxxx>
Date: Tue, Nov 16, 2010 18:19
Subject: IPTables transparent configuration
To: <or-talk@xxxxxxxx>
I have been searching the documentation and Internet for days on this
setup. Let me give some background first.
In this network (172.16.10.0/24) I have a couple of clients. Their
default gateway is 172.16.10.1. This system is a Linux server.
The Linux server has a LAN IP of 172.16.10.1 and a "WAN" IP of
10.0.0.23. This server is also running TOR. The "WAN" IP address of
this system is actually being NATTED again by a firewall to an
external IP address.
I want all traffic on the 172.16.10.0/24 network to use this Linux
server as their default gateway. In that gateway, I want IPTables to
send all of the traffic from that subnet through TOR.
If use IPTables to NAT the addresses like this:
eth0=WAN
eth1=LAN
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
General network connectivity works.
If I introduce TOR with IPTables like this:
iptables -t nat -A OUTPUT -p tcp -m tcp -j REDIRECT --to-ports 9040
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT
TOR connectivity works from the Linux server, but all of the clients
on the 172.16.10.0/24 network no longer work at all. No NAT to the
general Internet, no TOR, no nothing.
I'm thinking this may be an IPTables problem, but I wanted to post
this to this list just to see if anyone else has accomplished such a
setup. If you have, please let me know what I may be doing wrong. If
you need more detailed information, please ask.
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/