[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Filtering traffic from your node - for exit points

Interesting, but a very complicated method of filtering.
In the future, perhaps it would be possible to make a plugin for Tor
that makes it easy to block unwanted traffic. That would make it easier
for more people to dare to run Tor exit nodes.


For windows, if you only want to block IPs it's also possible to run an
ip blocker. Protowall is one such software for windows that runs as a
layer between the internet and the server's software. There are a lot of
other software that can block lists of IP addresses.

The problem is, does Tor support huge IP lists? What will happen if the
torrc has 20 000 IP-ranges blocked? Will Tor get very slow or crash?

Every country has it's own laws. I believe blocking could be used
without any legal worries in many countries.


Torified User skrev:
> Up to now I thought it was impossible to filter out what tor users do
> from our tor exit nodes. A little experimentation later I've found a way
> how to limit what users can or cannot do. Please do check if filtering
> content is legal according to the laws of your country. Personally I
> have decided that I'd rather be investigated because of filtering
> illegal materials than to be investigated because I was helping a
> criminal. Do whatever you wish with the information provided. You may
> not like the filtering - but every exitpoint operator can decide for
> himself what he wants to do.
> 
> You will need:
> 
> - a Linux server, running iptables (with iptables and iptable_nat
> support) and with universal tun/tap support
>     . Check your .config for CONFIG_TUN=[m|y] for tun/tap support
>     . Check your .config for CONFIG_IP_NF_NAT=[m|y] for NAT support
>     .
> http://www.netfilter.org/projects/iptables/files/iptables-1.3.8.tar.bz2
>         
> - tunctl
>     . (google for tunctl.c ; gcc tunctl.c -o tunctl )
> 
> - squid (tested with 2.6STABLEx)
>     . You can fetch it from http://www.squid-cache.org
> <http://www.squid-cache.org/>
> 
> - dansguardian (tested with 2.9.x.x)
>     . Fetch it from http://dansguardian.org/
>     
> - blacklists from http://www.urlblacklist.com/
>     . You are allowed one free download, if you find their
>       service useful, please subscribe.
>       
> - an IP from a private subnet you're not using (for this example, we'll
> use 192.168.253.1/24)
> 
> - to ensure that neither squid nor dansguardian are accessible from the
> Internet
>     
> 1) Create the tunnel device where tor will make it's outbound
> connections from
> 
> # modprobe tun
> # tunctl
> # ifconfig tap0 192.168.253.1 netmask 255.255.255.0
> 
> 2) Disable access to both squid and dansguardian from the Internet.
> 
> I will be using port 3128 for squid, and 8080 for dansguardian (default
> settings - you can alter them if you wish). In my setup ppp0 is where
> the Internet is connected to my tor node, so (if eth1 is your public
> interface, substitute eth1 for ppp0):
> 
> # iptables -I INPUT -s ppp0 -p tcp --dport 8080 -j DROP
> # iptables -I INPUT -s ppp0 -p tcp --dport 3128 -j DROP
> 
> 3) Install squid (compile if necessary, you won't need any special
> configuration switches) and before running squid change the following in
> your squid.conf (it will be either in /etc/squid/squid.conf or
> /usr/local/squid/etc/squid.conf):
> 
> "http_port 3128" -> "http_port 3128 transparent"
>     It will now be able to act as a transparent proxy
>     
> "cache_mem 8M" -> whatever you want it to be
>     If you have RAM to spare it should speed things a bit up.
>     
> "maximum_object_size 4096 KB" -> "maximum_object_size 1 KB"
>     Or you'll end up with user's content in your cache - which I don't want.
>     
> "http_access allow manager localhost" -> "#http_access allow manager
> localhost"
>     Dansguardian will be accessing squid with the source IP of
> 127.0.0.1, so in this way we disable the access to the manager.
>     
> And add
> 
> "http_access allow localhost" into the squid.conf, but do make sure it
> comes before the "http_access deny all" directive.
> 
> 4) Install dansguardian. (if you need to compile it from the tarball -
> again, there's no special directives you need). Your configuration
> should be in /etc/dansguardian/ or /usr/local/etc/dansguardian/.
> 
> 5) Fetch the Blacklist from http://www.urlblacklist.com/ (Remember, only
> the first download is free. Be nice, don't abuse the service.). Unpack
> them into /etc/dansguardian/lists/blacklists (or
> /usr/local/etc/dansguardian/lists/blacklists). The ./lists/blacklists
> folder should already exist in the dansguardian configuration directory.
> 
> 6) Configure dansguardian.conf:
> 
> "filterport = 8080"
> "proxyip = 127.0.0.1"
> "proxyport = 3128"
> 
> "maxuploadsize = 16"
> (to disable the spreading of unwanted materials over your node - 16kB of
> POST data should be enough for most of legal uses).
> 
> Unless you want antivirus scanning of transferred files also disable all
> contentscanners ("#contentscanner = ...")
> For most uses you will also need to disable the authplugins
> ("#authplugin = ").
> If you want to disable logging (please check your laws what you can or
> cannot do: "nologger = on")
> 
> 7) Configure dansguardianf1.conf: (this is the configuration for the 1st
> (and probably only) group on your server)
> Do check, that the criteria by which you want to filter are uncommented
> (ie, no # at the start of the line). I suggest leaving all of them on.
> 
> 8) Configure lists/bannedextensionlist:
> 
> .asx  # Windows Media Audio / Video
> .rar  # Similar to zip
> .mp3  # Music file
> .mpeg # Movie file
> .mpg  # Movie file
> .avi  # Movie file
> .asf  # this can also exploit a security hole allowing virus infection
> .iso  # CD ISO image
> .ogg  # Music file
> .wmf  # Movie file
> .bin # CD ISO image
> .cue # CD ISO image
> 
> 9) Configure lists/bannedmimetypelist:
> 
> audio/mpeg
> audio/x-mpeg
> audio/x-pn-realaudio
> audio/x-wav
> video/mpeg
> video/x-mpeg2
> video/x-msvideo
> video/msvideo
> application/gzip
> application/x-gzip
> application/zip
> application/compress
> application/x-compress
> #application/java-vm
> 
> 10) Configure lists/bannedphraselist: (watch out for /etc/dansguardian
> vs. /usr/local/etc/dansguardian)
> 
> .Include</usr/local/etc/dansguardian/lists/phraselists/pornography/banned>
> 
> 11) Configure lists/bannedurllist: (mine looks like this, again watch
> out for /etc/dansguardian vs. /usr/local/etc/dansguardian)
> .Include</usr/local/etc/dansguardian/lists/blacklists/adult/urls>
> .Include</usr/local/etc/dansguardian/lists/blacklists/aggressive/urls>
> .Include</usr/local/etc/dansguardian/lists/blacklists/audio-video/urls>
> .Include</usr/local/etc/dansguardian/lists/blacklists/hacking/urls>
> .Include</usr/local/etc/dansguardian/lists/blacklists/porn/urls>
> .Include</usr/local/etc/dansguardian/lists/blacklists/proxy/urls>
> .Include</usr/local/etc/dansguardian/lists/blacklists/violence/urls>
> .Include</usr/local/etc/dansguardian/lists/blacklists/virusinfected/urls>
> .Include</usr/local/etc/dansguardian/lists/blacklists/warez/urls>
> 
> 12) Now alter your torrc (either /etc/torrc or /usr/local/etc/torrc) and
> add the following line to the configuration:
> 
> OutboundBindAddress 192.168.253.1
> 
> Do not restart tor just yet.
> 
> 13) Start up squid and dansguardian. Set your browser's proxy setting to
> <your_private_IP>:8080 and try whether the proxy system works as
> desired. If your dansguardian is not listening on port 8080, alter your
> browser settings accordingly.
> 
> 14) If you're happy with how things look, we can redirect tor to use our
> proxy setup.
> 
> # iptables -t nat -I OUTPUT -s 192.168.253.1 -p tcp --dport 80 -j DNAT
> --to 192.168.0.1:8080
> # iptables -t nat -I OUTPUT -s 192.168.253.1 -p tcp --dport 443 -j DNAT
> --to 192.168.0.1:8080
> 
> (192.168.0.1 is the private IP of my server, and my exit policy contains
> only ports 80 and 443 - if you need to alter it, I'm pretty sure you
> know how you can do it).
> 
> 15) You can restart tor now.
> 
> If everything is working fine, you will filter content you don't deem
> appropriate. Please do check your laws whether you can log, should log,
> or are prohibited to log. Filtering per se should not be a problem (but
> do check about that too). You are configuring your server in this way at
> your own risk - there are no guarantees that this will work or that it
> is allowed under your laws - but I'm pretty sure it will at least limit
> what people can do to some reasonable traffic.
> 
> Don't forget the side effect - that the more questionable material we
> filter the more remains to be used in legal ways.
> 
> D.
> 
> ------------------------------------------------------------------------
> Looking for a deal? Find great prices on flights and hotels
> <http://us.rd.yahoo.com/evt=47094/*http://farechase.yahoo.com/;_ylc=X3oDMTFicDJoNDllBF9TAzk3NDA3NTg5BHBvcwMxMwRzZWMDZ3JvdXBzBHNsawNlbWFpbC1uY20->
> with Yahoo! FareChase.