Розбіжності

Тут показані розбіжності між вибраною ревізією та поточною версією сторінки.

--- tor [2014/01/30 20:51] – створено wombat
+++ tor [2015/10/21 21:54] (поточний) – [Ссылки] ArchLinux Wiki wombat
@@ Рядок 1: / Рядок 1: @@
+====== Прозрачный прокси ======
+===== На персональном компьютере =====
+===== Общесетевой =====
+<file conf "/etc/tor/torrc">
+VirtualAddrNetworkIPv4 10.192.0.0/10
+AutomapHostsOnResolve 1
+TransPort 9040
+TransListenAddress 127.0.0.1
+TransListenAddress 192.168.1.1
+DNSPort 5353
+DNSListenAddress 127.0.0.1
+DNSListenAddress 192.168.1.1
+</file>
+<file bash "iptables">
+ #!/bin/bash
+ IPTABLES=/sbin/iptables
+ TOR_UID=`id -u debian-tor`
+ NETWORK_USER_ID=1000
+ # Clear existing rules
+ $IPTABLES -F INPUT
+ $IPTABLES -F OUTPUT
+ $IPTABLES -t nat -F
+ ## Transproxy rules for Tor
+ $IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 | exit
+ $IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5300 || exit
+# First rules in OUTPUT chain
+#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid
+iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
+iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid
+iptables -A OUTPUT -m state --state INVALID -j DROP
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
+ # Allow Tor and the network user
+ $IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit
+ $IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT
+ $IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit
+ $IPTABLES -A OUTPUT -j DROP || exit
+ # Create INPUT firewall. Allow established connections and transproxy
+ $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit
+ $IPTABLES -A INPUT -i lo -j ACCEPT # Transproxy output comes from lo
+ $IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit
+ $IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit
+ $IPTABLES -A INPUT -j DROP || exit
+</file>
+<file bash "iptables.sh">
+#!/bin/sh
+### set variables
+#destinations you don't want routed through Tor
+_non_tor="192.168.1.0/24 192.168.0.0/24"
+#the UID that Tor runs as (varies from system to system)
+_tor_uid="109"
+#Tor's TransPort
+_trans_port="9040"
+#your internal interface
+_int_if="eth0"
+### flush iptables
+iptables -F
+iptables -t nat -F
+### set iptables *nat
+iptables -t nat -A OUTPUT -o lo -j RETURN
+iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
+iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
+#allow clearnet access for hosts in $_non_tor
+for _clearnet in $_non_tor; do
+   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
+   iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN
+done
+#redirect all other pre-routing and output to Tor
+iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
+iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53
+iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port
+### set iptables *filter
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+#allow clearnet access for hosts in $_non_tor
+for _clearnet in $_non_tor 127.0.0.0/8; do
+ iptables -A OUTPUT -d $_clearnet -j ACCEPT
+done
+#allow only Tor output
+iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
+iptables -A OUTPUT -j REJECT
+</file>
+<file bash "arch-iptables">
+/etc/iptables/iptables.rules
+*nat
+:PREROUTING ACCEPT [6:2126]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [17:6239]
+:POSTROUTING ACCEPT [6:408]
+-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
+-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
+-A OUTPUT -o lo -j RETURN
+--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN
+-A OUTPUT -m owner --uid-owner "tor" -j RETURN
+-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
+-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
+--ipv6 -A INPUT -j REJECT
+--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
+--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
+--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT
+--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+--ipv6 -A OUTPUT -j REJECT
+COMMIT
+</file>
+Затем [[dnsmasq|настроить DHCP-сервер]] так, чтобы он выдвал наш прозрачный прокси в качестве единственного DNS-сервера своим клиентам в локальной сети.
+====== Ссылки ======
 [[https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity|How to Run a Secure Tor Server]]
@@ Рядок 7: / Рядок 167: @@
 [[https://globe.torproject.org/ | Globe ]] [[https://atlas.torproject.org/ | Atlas]]
+[[https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy | Transparently Routing Traffic Through Tor]]
+[[https://wiki.archlinux.org/index.php/Tor | Tor at ArchLinux Wiki ]]