[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] system-wide tor successful

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] system-wide tor successful
From: Raviji <raviji157@xxxxxxxxx>
Date: Fri, 28 Sep 2012 18:10:09 +0530
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 28 Sep 2012 08:40:36 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:x-mailer:mime-version:content-type :content-transfer-encoding; bh=Has8d2yl44qIb/igDlpQcJGG5ojHrwDVzdc07F3aPbc=; b=pNocrsE5x29nJ1Pju0qAHc8hK50T42pqhCFQcdQ9Po+0RT1GFqLHUZReZK2PXx1oBo UDo7+22aDBDHB3CraL6aYLbLsA+/7aTLPUUWhAOfNLmGYJOASxBQK6DnzGuGskqOmdxJ NQ0aRMdypUbvxKrQBu6XEMFKdgSkFONRc4ZpKsKiwJAVDfXoAk8prXV9NqyMnWqlQBiP kAEJzLwDmLUqGkYdLZVqvZR62vRmDVZDs1DjzaK+EYRJi6MjI2/gto/3/Fk9DIrGNMOQ yunU7WswIKNrtXPkHzfYSIcPhZhjRxHix3w0ARcb1lEfdWajt74xtP/+gZd4Vl00f6rK rGyg==
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Hello,

I like to share with you all that my system-wide tor is successful.
I am not confident about the benefit of polipo/privoxy ; pdnsd, ttdnsd.
I just use tor and its DNSPort (port 53)  without any caching DNS server as well as proxy.

At /etc/resolv.conf set name server to 127.0.0.1

I have configured iptables to route all traffic through tor except lo and lan.
But the lan packets are still dropped. I'm trying to fix it.
Any modification is very much welcome. What tools can be used to test the system
against DNS leak etc.. ? Your ideas are welcome.


iptables -F
iptables -X
iptables -Z
iptables -t nat -Z 2>/dev/null
iptables -t mangle -Z
iptables -t nat -F
iptables -t mangle -F

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Established incoming connections are accepted.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Traffic on the loopback interface is accepted.
    iptables -A INPUT -i lo -j ACCEPT

    #accept icmp
    iptables -A OUTPUT -j ACCEPT -p icmp

    # Established outgoing connections are accepted.
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Internal network connections are accepted.
    iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT

    # Local network connections should not go through Tor but DNS shall be
    # rejected.
    iptables -N lan
    iptables -A lan -p TCP --dport domain -j REJECT
    iptables -A lan -p UDP --dport domain -j REJECT
    iptables -A lan -j ACCEPT

    # Sort out traffic to local network
    # Note that we exclude the VirtualAddrNetwork used for .onion:s here.
    iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
    iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
    iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan


iptables -t nat -A OUTPUT ! -o lo -p tcp  -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp --dport 53 -m state --state NEW -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT



    # Everything else is dropped.
    iptables -t filter -A OUTPUT ! -o lan -j DROP
    iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

    # log incomming connection attempts
    iptables -A INPUT -p tcp -m tcp -m state --state NEW -j LOG --log-prefix "input(tcp) " -m limit --limit 1/minute
    iptables -A INPUT ! -p tcp -j LOG --log-prefix "input(all) " -m limit --limit 1/minute

    # some kernel enhancement

    # ; ignore broadcast
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

    # ; disable forwarding
    echo 0 > /proc/sys/net/ipv4/ip_forward

    # ; enable tcp syn cookie protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
    # ; ignore buggus icmp responses
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # ; ignore all icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 

    # ; ip spoofing protection
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $f
    done

    # Don't accept or send ICMP redirects.
    for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
    for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
      echo 0 > $f
    done 

    # ; Log martian
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
      echo 1 > $f
    done

    # Disable proxy_arp.
    for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

    # Reduce number of possible SYN Floods
    echo "512" >/proc/sys/net/ipv4/tcp_max_syn_backlog

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] system-wide tor successful
  - From: Raviji

Prev by Author: [tor-talk] DNS query enforcement not working
Next by Author: Re: [tor-talk] system-wide tor successful
Previous by thread: Re: [tor-talk] TBB advantages in VM
Next by thread: Re: [tor-talk] system-wide tor successful
Index(es):
- Author
- Thread