Користувальницькькі налаштування

Налаштування сайту


tor

Розбіжності

Тут показані розбіжності між вибраною ревізією та поточною версією сторінки.

Посилання на цей список змін

Both sides previous revision Попередня ревізія
tor [2015/10/21 21:53]
wombat [Общесетевой] arch-iptables
tor [2015/10/21 21:54] (поточний)
wombat [Ссылки] ArchLinux Wiki
Рядок 1: Рядок 1:
 +====== Прозрачный прокси ======
  
 +===== На персональном компьютере =====
 +
 +
 +===== Общесетевой =====
 +
 +<file conf "/​etc/​tor/​torrc">​
 +VirtualAddrNetworkIPv4 10.192.0.0/​10
 +AutomapHostsOnResolve 1
 +TransPort 9040
 +TransListenAddress 127.0.0.1
 +TransListenAddress 192.168.1.1
 +DNSPort 5353
 +DNSListenAddress 127.0.0.1
 +DNSListenAddress 192.168.1.1
 +</​file>​
 +
 +<file bash "​iptables">​
 + #​!/​bin/​bash
 +
 + ​IPTABLES=/​sbin/​iptables
 + ​TOR_UID=`id -u debian-tor`
 + ​NETWORK_USER_ID=1000
 + 
 + # Clear existing rules
 + ​$IPTABLES -F INPUT
 + ​$IPTABLES -F OUTPUT ​
 + ​$IPTABLES -t nat -F
 + 
 +
 + ## Transproxy rules for Tor
 + ​$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 | exit
 + ​$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5300 || exit
 + 
 +
 +# First rules in OUTPUT chain
 +#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "​Transproxy ctstate leak blocked: " --log-uid
 +iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
 +iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "​Transproxy state leak blocked: " --log-uid
 +iptables -A OUTPUT -m state --state INVALID -j DROP
 +
 +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "​Transproxy leak blocked: " --log-uid
 +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "​Transproxy leak blocked: " --log-uid
 +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
 +iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
 +
 +
 + # Allow Tor and the network user
 + ​$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit
 + ​$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT
 + ​$IPTABLES -A INPUT -j LOG --log-prefix "​OUTPUT DROPPED: " --log-uid || exit
 + ​$IPTABLES -A OUTPUT -j DROP || exit
 + 
 + 
 + # Create INPUT firewall. Allow established connections and transproxy
 + ​$IPTABLES -A INPUT -m conntrack --ctstate RELATED,​ESTABLISHED -j ACCEPT || exit
 + ​$IPTABLES -A INPUT -i lo -j ACCEPT # Transproxy output comes from lo
 + ​$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit
 + ​$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit
 + ​$IPTABLES -A INPUT -j DROP || exit
 +
 +
 +</​file>​
 +
 +<file bash "​iptables.sh">​
 +#!/bin/sh
 +
 +### set variables
 +#​destinations you don't want routed through Tor
 +_non_tor="​192.168.1.0/​24 192.168.0.0/​24"​
 +
 +#the UID that Tor runs as (varies from system to system)
 +_tor_uid="​109"​
 +
 +#Tor's TransPort
 +_trans_port="​9040"​
 +
 +#your internal interface
 +_int_if="​eth0"​
 +
 +### flush iptables
 +iptables -F
 +iptables -t nat -F
 +
 +### set iptables *nat
 +iptables -t nat -A OUTPUT -o lo -j RETURN
 +iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
 +iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
 +
 +#allow clearnet access for hosts in $_non_tor
 +for _clearnet in $_non_tor; do
 +   ​iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
 +   ​iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN
 +done
 +
 +#redirect all other pre-routing and output to Tor
 +iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
 +iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53
 +iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port
 +
 +### set iptables *filter
 +iptables -A OUTPUT -m state --state ESTABLISHED,​RELATED -j ACCEPT
 +
 +#allow clearnet access for hosts in $_non_tor
 +for _clearnet in $_non_tor 127.0.0.0/​8;​ do
 + ​iptables -A OUTPUT -d $_clearnet -j ACCEPT
 +done
 +
 +#allow only Tor output
 +iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
 +iptables -A OUTPUT -j REJECT
 +</​file>​
 +
 +<file bash "​arch-iptables">​
 +/​etc/​iptables/​iptables.rules
 +
 +
 +*nat
 +:PREROUTING ACCEPT [6:2126]
 +:INPUT ACCEPT [0:0]
 +:OUTPUT ACCEPT [17:6239]
 +:​POSTROUTING ACCEPT [6:408]
 +
 +-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
 +-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,​SYN,​RST,​ACK SYN -j REDIRECT --to-ports 9040
 +-A OUTPUT -o lo -j RETURN
 +--ipv4 -A OUTPUT -d 192.168.0.0/​16 -j RETURN
 +-A OUTPUT -m owner --uid-owner "​tor"​ -j RETURN
 +-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
 +-A OUTPUT -p tcp -m tcp --tcp-flags FIN,​SYN,​RST,​ACK SYN -j REDIRECT --to-ports 9040
 +COMMIT
 +
 +*filter
 +:INPUT DROP [0:0]
 +:FORWARD DROP [0:0]
 +:OUTPUT DROP [0:0]
 +
 +-A INPUT -i lo -j ACCEPT
 +-A INPUT -p icmp -j ACCEPT
 +-A INPUT -m conntrack --ctstate RELATED,​ESTABLISHED -j ACCEPT
 +--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 +--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 +--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
 +--ipv6 -A INPUT -j REJECT
 +--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
 +--ipv4 -A OUTPUT -d 192.168.0.0/​16 -j ACCEPT
 +--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT
 +-A OUTPUT -m conntrack --ctstate RELATED,​ESTABLISHED -j ACCEPT
 +-A OUTPUT -m owner --uid-owner "​tor"​ -j ACCEPT
 +--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
 +--ipv6 -A OUTPUT -j REJECT
 +COMMIT
 +
 +</​file>​
 +
 +Затем [[dnsmasq|настроить DHCP-сервер]] так, чтобы он выдвал наш прозрачный прокси в качестве единственного DNS-сервера своим клиентам в локальной сети.
 +
 +====== Ссылки ======
 +
 +
 +[[https://​trac.torproject.org/​projects/​tor/​wiki/​doc/​OperationalSecurity|How to Run a Secure Tor Server]]
 +
 +[[https://​www.torproject.org/​docs/​tor-relay-debian.html.en | Configuring a Tor relay on Debian/​Ubuntu]]
 +
 +[[https://​www.torproject.org/​docs/​tor-doc-unix.html.en | Running the Tor client on Linux/​BSD/​Unix]]
 +
 +[[https://​globe.torproject.org/​ | Globe ]] [[https://​atlas.torproject.org/​ | Atlas]]
 +
 +[[https://​trac.torproject.org/​projects/​tor/​wiki/​doc/​TransparentProxy | Transparently Routing Traffic Through Tor]]
 +
 +[[https://​wiki.archlinux.org/​index.php/​Tor | Tor at ArchLinux Wiki ]]
tor.txt · В останнє змінено: 2015/10/21 21:54 by wombat