Користувальницькькі налаштування
tor
Розбіжності
Тут показані розбіжності між вибраною ревізією та поточною версією сторінки.
| Both sides previous revision Попередня ревізія Наступна ревізія | Попередня ревізія | ||
|
tor [2015/10/06 18:27] wombat TransparentProxy |
tor [2015/10/22 00:54] (поточний) wombat [Ссылки] ArchLinux Wiki |
||
|---|---|---|---|
| Рядок 1: | Рядок 1: | ||
| + | ====== Прозрачный прокси ====== | ||
| + | |||
| + | ===== На персональном компьютере ===== | ||
| + | |||
| + | |||
| + | ===== Общесетевой ===== | ||
| + | |||
| + | <file conf "/etc/tor/torrc"> | ||
| + | VirtualAddrNetworkIPv4 10.192.0.0/10 | ||
| + | AutomapHostsOnResolve 1 | ||
| + | TransPort 9040 | ||
| + | TransListenAddress 127.0.0.1 | ||
| + | TransListenAddress 192.168.1.1 | ||
| + | DNSPort 5353 | ||
| + | DNSListenAddress 127.0.0.1 | ||
| + | DNSListenAddress 192.168.1.1 | ||
| + | </file> | ||
| + | |||
| + | <file bash "iptables"> | ||
| + | #!/bin/bash | ||
| + | |||
| + | IPTABLES=/sbin/iptables | ||
| + | TOR_UID=`id -u debian-tor` | ||
| + | NETWORK_USER_ID=1000 | ||
| + | |||
| + | # Clear existing rules | ||
| + | $IPTABLES -F INPUT | ||
| + | $IPTABLES -F OUTPUT | ||
| + | $IPTABLES -t nat -F | ||
| + | |||
| + | |||
| + | ## Transproxy rules for Tor | ||
| + | $IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 | exit | ||
| + | $IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5300 || exit | ||
| + | |||
| + | |||
| + | # First rules in OUTPUT chain | ||
| + | #iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid | ||
| + | iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP | ||
| + | iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid | ||
| + | iptables -A OUTPUT -m state --state INVALID -j DROP | ||
| + | |||
| + | iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid | ||
| + | iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid | ||
| + | iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP | ||
| + | iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP | ||
| + | |||
| + | |||
| + | # Allow Tor and the network user | ||
| + | $IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit | ||
| + | $IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT | ||
| + | $IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit | ||
| + | $IPTABLES -A OUTPUT -j DROP || exit | ||
| + | |||
| + | |||
| + | # Create INPUT firewall. Allow established connections and transproxy | ||
| + | $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit | ||
| + | $IPTABLES -A INPUT -i lo -j ACCEPT # Transproxy output comes from lo | ||
| + | $IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit | ||
| + | $IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit | ||
| + | $IPTABLES -A INPUT -j DROP || exit | ||
| + | |||
| + | |||
| + | </file> | ||
| + | |||
| + | <file bash "iptables.sh"> | ||
| + | #!/bin/sh | ||
| + | |||
| + | ### set variables | ||
| + | #destinations you don't want routed through Tor | ||
| + | _non_tor="192.168.1.0/24 192.168.0.0/24" | ||
| + | |||
| + | #the UID that Tor runs as (varies from system to system) | ||
| + | _tor_uid="109" | ||
| + | |||
| + | #Tor's TransPort | ||
| + | _trans_port="9040" | ||
| + | |||
| + | #your internal interface | ||
| + | _int_if="eth0" | ||
| + | |||
| + | ### flush iptables | ||
| + | iptables -F | ||
| + | iptables -t nat -F | ||
| + | |||
| + | ### set iptables *nat | ||
| + | iptables -t nat -A OUTPUT -o lo -j RETURN | ||
| + | iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN | ||
| + | iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 | ||
| + | |||
| + | #allow clearnet access for hosts in $_non_tor | ||
| + | for _clearnet in $_non_tor; do | ||
| + | iptables -t nat -A OUTPUT -d $_clearnet -j RETURN | ||
| + | iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN | ||
| + | done | ||
| + | |||
| + | #redirect all other pre-routing and output to Tor | ||
| + | iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port | ||
| + | iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53 | ||
| + | iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port | ||
| + | |||
| + | ### set iptables *filter | ||
| + | iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | |||
| + | #allow clearnet access for hosts in $_non_tor | ||
| + | for _clearnet in $_non_tor 127.0.0.0/8; do | ||
| + | iptables -A OUTPUT -d $_clearnet -j ACCEPT | ||
| + | done | ||
| + | |||
| + | #allow only Tor output | ||
| + | iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT | ||
| + | iptables -A OUTPUT -j REJECT | ||
| + | </file> | ||
| + | |||
| + | <file bash "arch-iptables"> | ||
| + | /etc/iptables/iptables.rules | ||
| + | |||
| + | |||
| + | *nat | ||
| + | :PREROUTING ACCEPT [6:2126] | ||
| + | :INPUT ACCEPT [0:0] | ||
| + | :OUTPUT ACCEPT [17:6239] | ||
| + | :POSTROUTING ACCEPT [6:408] | ||
| + | |||
| + | -A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353 | ||
| + | -A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 | ||
| + | -A OUTPUT -o lo -j RETURN | ||
| + | --ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN | ||
| + | -A OUTPUT -m owner --uid-owner "tor" -j RETURN | ||
| + | -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353 | ||
| + | -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 | ||
| + | COMMIT | ||
| + | |||
| + | *filter | ||
| + | :INPUT DROP [0:0] | ||
| + | :FORWARD DROP [0:0] | ||
| + | :OUTPUT DROP [0:0] | ||
| + | |||
| + | -A INPUT -i lo -j ACCEPT | ||
| + | -A INPUT -p icmp -j ACCEPT | ||
| + | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | ||
| + | --ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset | ||
| + | --ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable | ||
| + | --ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable | ||
| + | --ipv6 -A INPUT -j REJECT | ||
| + | --ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT | ||
| + | --ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT | ||
| + | --ipv6 -A OUTPUT -d ::1/8 -j ACCEPT | ||
| + | -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | ||
| + | -A OUTPUT -m owner --uid-owner "tor" -j ACCEPT | ||
| + | --ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable | ||
| + | --ipv6 -A OUTPUT -j REJECT | ||
| + | COMMIT | ||
| + | |||
| + | </file> | ||
| + | |||
| + | Затем [[dnsmasq|настроить DHCP-сервер]] так, чтобы он выдвал наш прозрачный прокси в качестве единственного DNS-сервера своим клиентам в локальной сети. | ||
| + | |||
| + | ====== Ссылки ====== | ||
| + | |||
| [[https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity|How to Run a Secure Tor Server]] | [[https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity|How to Run a Secure Tor Server]] | ||
| Рядок 9: | Рядок 169: | ||
| [[https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy | Transparently Routing Traffic Through Tor]] | [[https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy | Transparently Routing Traffic Through Tor]] | ||
| + | |||
| + | [[https://wiki.archlinux.org/index.php/Tor | Tor at ArchLinux Wiki ]] | ||
tor.1444145238.txt.bz2 · В останнє змінено: 2015/10/06 18:27 by wombat
Налаштування сторінки
Якщо не вказано інше, вміст цієї Вікі підпадає під дію такої ліцензії: CC Attribution-Share Alike 4.0 International
