[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] almost success toward complete tor enforcement, need little help now

> https://cryptoanarchy.org/wiki/Build_your_own_livething

That's a bit insufficient and some points clearly outdated, see below.

> obfsproxy issue
> =================
> I have installed tor,pdnsd,ttdnsd,obfsproxy,polipo,vidalia

You don't need pdnsd,ttdnsd,polipo. Vidalia is a nice optional graphical
user interface.

> I have already collected the obfs IP address from a running tor bundle and then placed all those
> at /etc/tor/torrc. tor is running with obfs.
> [Q] How can I check online that obfs is functional ? https://check.torproject.org/ simply shows
> tor is running, but no obfs related information.

Someone else has to answer here.

> polipo and firewall
> =====================
> Browsers configured to use polopo ( tor as parent) and the online check is successful (https://check.torproject.org/)
> [Q] Is polipo really fast ? I hardly see any advantage comparing direct tor connection with out polipo.

You're on the wrong path. Don't use polipo / Firefox etc. anymore,
unless you want to stay out from all other Tor users. Use Tor Browser.

> [Q] What is the iptables rule to redirect all 80 and 443 traffic through polipo 8118 port ? Then no configuration is
> required at browser level.

You don't need iptables for that. Tor is running on a Gateway. Tor
Browser without Tor/Vidalia started (patched startup script) is running
on another machine. (Which we call Workstation.)

Tor Button SOCKS Host: gateway IP, port: reserve one SocksPort in torrc
on Gateway exclusively for Tor Browser. Add some extra SocksPorts for
other applications. (stream isolation)

> DNS and firewall
> =================
> I am using pdnsd (caching DNS proxy server) and ttdnsd ( udp to tcp converter )

You don't need ttdnsd. I recommend using one SocksPorts per most, if not
all applications. If you still want some remaining traffic fallback you
can use Tor's excellent Dns- and TransPorts.

> [Q] How can I enforce all udp to go through local DNS port and which one 53 or 8853 ?

For a "fetch remaining DNS traffic and route through Tor iptables rule"
have a look at
and search for "dns".

> iptables to route all traffic and blocked all non tor
> ======================================================
> LAN and lo (localhost) don't need to go through tor

You probable mess up there figuring out what is lan traffic for real and
what not. I strongly recommend the Tor-only box to have no local lan

> port 80/443 should go through poliop port 8118,
> all dns query should go through local 53 ( or 8853 ? ) port

Like said before, forget about that plan. Don't use polipo.

> And the rest of the traffic should go through tor 9050 port, anything left should be dropped.
> The example iptables given at tails site is not working for me. Could anyone kindly give such a
> rule sets please ?

You can do it with virtual machines and/or physical isolation.

tor-talk mailing list