[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] TransPort: Convert iptables to pf
Hi!
Thanks for your reply.
On 26.12.2016 15:32, Corl3ss wrote:
>
> diffusae:
>> Hello!
>>
>
> Hi Diffusae
>
>
>> Does anybody know how to convert this to pf rules in FreeBSD:
>>
>> iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports
>> 9040
>>
>> I' running a Tor client in a jail on a different IP and want to route
>> only the .onion traffic through.
>>
>> The DNS stuff is working fine, but I can't find a solution for the above
>> iptables rule, which is working. I like transparently do DNS and Routing
>> for .onion traffic on the network.
>>
>> I looked into the wiki and also find some pf rules, which are routing
>> all the traffic though Tor, but this only works locally.
>>
>> The machine is on FreeBSD 11.0-STABLE. Tor is running in a jail with
>> cloned loopback interface (lo1) and has also a private IP address on the
>> main NIC.
>>
>
>
> I am running a Tor node in a Freebsd jail with the following pf rules :
>
> scrub in all
> nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB
> rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL ->
> $IP_JAIL_TOR port $PORT_TOR_JAIL
That looks good.
There is no "pass out quick" or "pass out on" statement?
> It passes the exit traffic to th public IP. The incoming traffic is
> passed to the different jail IPs according to the port.
Is the outgoing traffic routed, too?
> Be careful with the cloned interface and the /etc/hosts configurations
> for your BSD and jails. Misconfiguration also often leads to network
> problems.
Yes, that's it. I've tested the known rules for Transparent Proxy on a
FreeBSD11 (amd64) VM.
https://github.com/lattera/transtor/blob/master/pf.conf
It was no problem to configure it with a cloned interface. It works on
the fly, but there was no jail.
I've tried the same configuration with FreeBSD11 for armv6 (RPI-B), with
and without a jail and it only works locally and also dropped all other
network connections. I am not sure, if something is missing in RPI
ISO-Images Snapshots, but the main problem should be cloned interface.
It was hard to discover, but on the end, I have had a "connection timeout".
Do you use any "special" configuration inside the jail?
Like "defaultrouter=" or "gateway_enable=" on the host, etc?
Only because of the NAT rule.
So, thanks again
Best regards,
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays