Thanks for the input Al. I actually got this to work a little bit after posting this. That always seems to be the case :). For the list and anyone else who may want to do this, I'm posting my iptables config here. sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT sudo iptables -t nat -A PREROUTING -p tcp -s 172.16.10.0/24 -j DNAT --to-destination 10.0.0.23:9040 sudo iptables -t nat -A PREROUTING -p icmp -s 172.16.10.0/24 -j DNAT --to-destination 10.0.0.23:9040 sudo iptables -t nat -A PREROUTING -p udp -s 172.16.10.0/24 -j DNAT --to-destination 10.0.0.23:53 Now I'm not sure I need all of this. I'm going to revisit it later today to ensure the best rule set, but I have verified that this works 100%. Curt On Nov 17, 2010, at 4:31 AM, alpal.mailinglist@xxxxxxxxx wrote: > Curt, > > I will try and spur some discussion :) > > I'm not also sure that forcing connections to the tor port will work. Take for example an http request... you are now forcing that to a tor port, which wants to talk socks right? I would have thought you would need some sort of transparent http proxy setup which was configured to use tor for its external comms? > > Al > > > ----- Reply message ----- > From: "Curt Shaffer" <cshaffer@xxxxxxxxx> > Date: Tue, Nov 16, 2010 18:19 > Subject: IPTables transparent configuration > To: <or-talk@xxxxxxxx> > > I have been searching the documentation and Internet for days on this > setup. Let me give some background first. > > In this network (172.16.10.0/24) I have a couple of clients. Their > default gateway is 172.16.10.1. This system is a Linux server. > > The Linux server has a LAN IP of 172.16.10.1 and a "WAN" IP of > 10.0.0.23. This server is also running TOR. The "WAN" IP address of > this system is actually being NATTED again by a firewall to an > external IP address. > > I want all traffic on the 172.16.10.0/24 network to use this Linux > server as their default gateway. In that gateway, I want IPTables to > send all of the traffic from that subnet through TOR. > > If use IPTables to NAT the addresses like this: > > eth0=WAN > eth1=LAN > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > iptables -A FORWARD -i eth0 -o eth1 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT > > > General network connectivity works. > > If I introduce TOR with IPTables like this: > > iptables -t nat -A OUTPUT -p tcp -m tcp -j REDIRECT --to-ports 9040 > iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT > > TOR connectivity works from the Linux server, but all of the clients > on the 172.16.10.0/24 network no longer work at all. No NAT to the > general Internet, no TOR, no nothing. > > I'm thinking this may be an IPTables problem, but I wanted to post > this to this list just to see if anyone else has accomplished such a > setup. If you have, please let me know what I may be doing wrong. If > you need more detailed information, please ask. > *********************************************************************** > To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with > unsubscribe or-talk in the body. http://archives.seul.org/or/talk/ > >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature