[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: IPTables transparent configuration


I will try and spur some discussion :)

I'm not also sure that forcing connections to the tor port will work. Take for example an http request... you are now forcing that to a tor port, which wants to talk socks right? I would have thought you would need some sort of transparent http proxy setup which was configured to use tor for its external comms?


----- Reply message -----
From: "Curt Shaffer" <cshaffer@xxxxxxxxx>
Date: Tue, Nov 16, 2010 18:19
Subject: IPTables transparent configuration
To: <or-talk@xxxxxxxx>

I have been searching the documentation and Internet for days on this
setup. Let me give some background first.

In this network ( I have a couple of clients. Their
default gateway is This system is a Linux server.

The Linux server has a LAN IP of and a "WAN" IP of This server is also running TOR. The "WAN" IP address of
this system is actually being NATTED again by a firewall to an
external IP address.

I want all traffic on the network to use this Linux
server as their default gateway. In that gateway, I want IPTables to
send all of the traffic from that subnet through TOR.

If use IPTables to NAT the addresses like this:


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

General network connectivity works.

If I introduce TOR with IPTables like this:

iptables -t nat -A OUTPUT -p tcp -m tcp -j REDIRECT --to-ports 9040
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT

TOR connectivity works from the Linux server, but all of the clients
on the network no longer work at all. No NAT to the
general Internet, no TOR, no nothing.

I'm thinking this may be an IPTables problem, but I wanted to post
this to this list just to see if anyone else has accomplished such a
setup. If you have, please let me know what I may be doing wrong. If
you need more detailed information, please ask.
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/