[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] almost success toward complete tor enforcement, need little help now

Dear list,

I wonder if I can setup a box which provides complete traffic enforcement through tor.
The tails project has encouraged me to work in that direction. With the tails documentations and with
some online guide like


I am able to setup my running debian system almost a tor encrypted box, 
with some small hitches which I belief can easily be solved with your technical guidance.

obfsproxy issue

I have installed tor,pdnsd,ttdnsd,obfsproxy,polipo,vidalia
I have already collected the obfs IP address from a running tor bundle and then placed all those
at /etc/tor/torrc. tor is running with obfs.

[Q] How can I check online that obfs is functional ? https://check.torproject.org/ simply shows
tor is running, but no obfs related information.

polipo and firewall

Browsers configured to use polopo ( tor as parent) and the online check is successful (https://check.torproject.org/)

[Q] Is polipo really fast ? I hardly see any advantage comparing direct tor connection with out polipo.

[Q] What is the iptables rule to redirect all 80 and 443 traffic through polipo 8118 port ? Then no configuration is
required at browser level.

DNS and firewall

I am using pdnsd (caching DNS proxy server) and ttdnsd ( udp to tcp converter )

/etc/pdnsd.conf content with this:

global {
   perm_cache = 2048;
   cache_dir = "/var/cache/pdnsd";
   run_as = "pdnsd";
   server_ip =;          
   status_ctl = on;
   min_ttl = 15m;
   max_ttl = 1w;
   timeout = 120;

# Tor DNS resolver
server {
   label = "tor";
   ip =;
   port = 8853;
   uptest = none;
   proxy_only = on;
   lean_query = on;
# ttdnsd
server {
   label = "ttdnsd";
   ip =;
   port = 53;
   uptest = none;
   proxy_only = on;
   lean_query = on;

/etc/tor/torrc has

DNSPort 8853
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

So ttdnsd running at port 53 at and tor dns at port 8853.

But nmap shows ( #nmap -p 1-65535 localhost )

22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
111/tcp   open  rpcbind
631/tcp   open  ipp
8118/tcp  open  privoxy
9040/tcp  open  tor-trans
9050/tcp  open  tor-socks
9051/tcp  open  tor-control

no open port for tor-dns

[Q] How can I enforce all udp to go through local DNS port and which one 53 or 8853 ?

iptables -t nat -A OUTPUT ! -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

is not working. Can't do any dns resolution, even ping failed to gmail.com

iptables to route all traffic and blocked all non tor

LAN and lo (localhost) don't need to go through tor

port 80/443 should go through poliop port 8118,
all dns query should go through local 53 ( or 8853 ? ) port

And the rest of the traffic should go through tor 9050 port, anything left should be dropped.
The example iptables given at tails site is not working for me. Could anyone kindly give such a
rule sets please ?

Many many thanks for designing tor :-) 

tor-talk mailing list