[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] howto: Raspberry Pi as transparent tor proxy

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] howto: Raspberry Pi as transparent tor proxy
From: Raviji <raviji157@xxxxxxxxx>
Date: Wed, 31 Oct 2012 11:53:26 +0530
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 31 Oct 2012 02:23:48 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=ufGGRwYe1nWVgBLcbbrpMsvzfGVT2u9aY1BVAEBuois=; b=FWdtcqWC0RxQic4Ro2ElNTsNv/xqJlfFohMlbyqyIVpY0ct4owM257EUsNf7WbhUtK z68NDPyjyr9vzLqZxz7O0naZwwB6Sfy+ejIlIjCp6bEed0r2M1SF2p0Of5ULtGtIB0sN ICiVVy/aRRsP6elEI3Kq/h4VacwFBkmgPNXQ1ACM7LoWR9ID2TOpPcwqmkjNYOVsHbAV 1ZmdoWitoCaP0Cz4pgj212a17P8LR3fD/UK4nH22eKPD1HCpsiZyx7RtHIHUY75KfxMf 0HtKoHM86KKf+/roGELSiQYx3ldaTABpm1z2L5SbdhbQ69be+cqGb62cZwbwnIfP4ct+ fkTQ==
In-reply-to: <508EDE6A.1060409@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <508EDE6A.1060409@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Very nice,

For firewall you can consider the following


iptables -F
iptables -X
iptables -Z
iptables -t nat -Z 2>/dev/null
iptables -t mangle -Z
iptables -t nat -F
iptables -t mangle -F

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Established incoming connections are accepted.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Traffic on the loopback interface is accepted.
    iptables -A INPUT -i lo -j ACCEPT


	iptables -A OUTPUT -j ACCEPT -p icmp

    # Established outgoing connections are accepted.
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Internal network connections are accepted.
    iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT

    # Local network connections should not go through Tor but DNS shall be
    # rejected.
    iptables -N lan
    iptables -A lan -p TCP --dport domain -j REJECT
    iptables -A lan -p UDP --dport domain -j REJECT
    iptables -A lan -j ACCEPT

    # Sort out traffic to local network
    # Note that we exclude the VirtualAddrNetwork used for .onion:s here.
    iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
    iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
    iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan


iptables -t nat -A OUTPUT ! -o lo -p tcp  -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp --dport 53 -m state --state NEW -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#iptables -t filter -A OUTPUT ! -o lan -j DROP


    # Everything else is dropped.
#    iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

    # log incomming connection attempts
    iptables -A INPUT -p tcp -m tcp -m state --state NEW -j LOG --log-prefix "input(tcp) " -m limit --limit 1/minute
    iptables -A INPUT ! -p tcp -j LOG --log-prefix "input(all) " -m limit --limit 1/minute

    # some kernel enhancement

    # ; ignore broadcast
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

    # ; disable forwarding
    echo 0 > /proc/sys/net/ipv4/ip_forward

    # ; enable tcp syn cookie protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
    # ; ignore buggus icmp responses
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # ; ignore all icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 

    # ; ip spoofing protection
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $f
    done

    # Don't accept or send ICMP redirects.
    for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
    for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
      echo 0 > $f
    done 

    # ; Log martian
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
      echo 1 > $f
    done

    # Disable proxy_arp.
    for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

    # Reduce number of possible SYN Floods
    echo "512" >/proc/sys/net/ipv4/tcp_max_syn_backlog



On Mon, 29 Oct 2012 20:52:10 +0100
Sven Wolf <torproject@xxxxxxxxxxxxxxx> wrote:

> Hi all,
> 
> here're some informations how I configured my Raspberry Pi as an 
> transparent tor proxy for my home network.
> 
> Currently in my opinion the Raspberry Pi is a cheap and flexible 
> platform for this task. I thought about to use an
> dd-wrt based router as a transparent tor proxy but there a no current 
> optware packages for the dd-wrt/openwrt platform and
> also there is no final tutorial which describes in detail how to set up 
> a transparent tor proxy on the dd-wrt/openwrt platform
> 
> 
> My configuration is:
> - 256 mb Raspberry Pi
> - usb wifi adapter TP-Link WL-722N with an external antenna (drivers are 
> already included in the current Raspian os)
> - 4 port D-Link usb hub DUB-H4
> - hama power supply
> - sandisk 4 gb sdcard
> - Raspian Linux
> 
> for other supported hardware please look at:
> http://www.elinux.org/RPi_VerifiedPeripherals
> 
> 
> For the wirless accesspoint configuration I followed the instruction from:
> http://sirlagz.net/2012/08/09/how-to-use-the-raspberry-pi-as-a-wireless-access-pointrouter-part-1/ 
> 
> 
> Here are my steps for the setup. I've installed following additional 
> packages:
> dnsmasq
> dnsutils
> hostapd
> iw
> net-tools
> tor
> 
> First: create/modify /etc/dnsmasq.conf
> 
> interface=wlan0
> dhcp-range=10.0.0.2,10.0.0.10,255.255.255.0,24h
> dhcp-option=3,10.0.0.1
> 
> 
> Second: create/modify /etc/hostap/hostapd
> 
> interface=wlan0
> driver=nl80211
> ctrl_interface=/var/run/hostapd
> ctrl_interface_group=0
> ssid=<your ssid>
> hw_mode=g
> channel=<your channel, e.g. 11>
> wpa=2
> wpa_passphrase=<your passphrase>
> wpa_key_mgmt=WPA-PSK
> wpa_pairwise=CCMP
> rsn_pairwise=CCMP
> 
> 
> For the Tor and iptables configuration I followed the instructions from:
> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#AnonymizingMiddlebox 
> 
> I didn't modify /etc/resolv.conf to 127.0.0.1 because I had problems 
> with the network connection directly on the Raspberry Pi.
> E.g. it wasn't possible to download Raspian packages or to open websites 
> with lynx.
> 
> 
> Third: create/modify /etc/torrc
> 
> Log notice file /var/log/tor/notices.log
> VirtualAddrNetwork 10.192.0.0/10
> AutomapHostsSuffixes .onion,.exit
> AutomapHostsOnResolve 1
> TransPort 9040
> TransListenAddress 10.0.0.1
> DNSPort 53
> DNSListenAddress 10.0.0.1
> 
> Fourth: create an executable script at /etc/network/if-pre-up.d, e.g. 
> /etc/network/if-pre-up.d/iptables.sh with following content
> 
> #!/bin/bash
> /sbin/iptables-restore < /etc/iptables.rules
> 
> Fifth: enter the iptables ruleset directly on the shell
> 
> iptables -F
> iptables -t nat -F
> 
> iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT 
> --to-ports 53
> iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT 
> --to-ports 9040
> 
> Sixth: create /etc/iptables.rules like this
> iptables-save > /etc/iptables.rules
> 
> In my opionion there is room for improvment. Maybe someone have 
> additional ideas or configuration recommendations, e.g. for the firewall.
> The missing RTC don't seem to be a problem for this configuration. But 
> there is an tutorial how to add an RTC to the Raspberry Pi:
> http://www.raspberrypi.org/phpBB3/viewtopic.php?f=44&t=16218
> 
> 
> Thanks and best regards,
> Sven
> 
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] howto: Raspberry Pi as transparent tor proxy
  - From: Sven Wolf

Prev by Author: Re: [tor-talk] Flash, Linux and Tor
Next by Author: Re: [tor-talk] howto: Raspberry Pi as transparent tor proxy
Previous by thread: Re: [tor-talk] howto: Raspberry Pi as transparent tor proxy
Next by thread: [tor-talk] tor browser bundle with vpn
Index(es):
- Author
- Thread