Jump to content
Nytro

TOR relay and transparent routing

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=3]TOR relay and transparent routing[/h][h=2]Friday, January 18, 2013[/h]I assume you already know about TOR, The Onion Router for anonymity to protect your privacy.

TOR is a network so it can only work if there are nodes (relays). If you have a server, you can run one so consider it. Afraid of legal issues? You do not need to run an exit node, a relay is just fine: everything is encrypted.

This post will show you how easy it is to set up a TOR relay on Debian, how to nicely monitor it and how to use it as a transparent router.

[h=3]Setup[/h]Simple: a NAT router and behind a LAN with a server and a workstation.

           ________                ________
 internet |        |      LAN     |        |
----------| (NAT)  |--------------| server | 192.168.0.1
 1.2.3.4  | router |---------.    |________|
          |________|         |
                       ______|______
                      |             |
                      | workstation | 192.168.0.2
                      |_____________|

[h=3]Install[/h]If you are not root, use sudo -i or su to get a root shell then:

# echo 'deb http://deb.torproject.org/torproject.org squeeze main' \
  >> /etc/apt/sources.list
# gpg --recv 74A941BA219EC810
# gpg --export --armor 74A941BA219EC810 | apt-key add -
# apt-get update
# apt-get install tor

[h=3]Prepare a control password[/h]You will need a password to remotely control your TOR server:

$ tor --hash-password test
[...]
16:A908451A24E6A06D604B4D30592A14A177FD276103658D4F10D9C4B12F

[h=3]Configuration[/h]Open /etc/tor/torrc with your favourite editor and configure a few things:

# TOR SOCKS port
SocksPort 0.0.0.0:9050

# Control port
ControlPort 0.0.0.0:9051
HashedControlPassword 16:A908451(...the hash above...)10D9C4B12F

# TOR relay port
ORPort 9001

# Throttle traffic to 100KB/s (800Kbps) but allow bursts up to 200KB/s (1600Kbps)
RelayBandwidthRate 100 KB
RelayBandwidthBurst 200 KB

# No exits allowed, just be a relay node
ExitPolicy reject *

# Transparent router
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:53

Apply:

# invoke-rc.d tor reload

[h=3]Firewall[/h]I like iptables with ferm, for easy rule making. Edit /etc/ferm/ferm.conf:

domain ip {
  table filter {
    chain INPUT {
      proto tcp dport 9001 ACCEPT; # ORPort
      saddr 192.168.0.0/24 {
        proto udp dport 53 ACCEPT;   # DNSPort
        proto tcp dport 9040 ACCEPT; # TransPort
        proto tcp dport 9050 ACCEPT; # SocksPort
        proto tcp dport 9051 ACCEPT; # ControlPort
      }
    }
  }
  table nat {
    chain PREROUTING {
      interface eth0 saddr 192.168.0.0/24 {
        proto udp dport 53 REDIRECT to-ports 53; # DNSPort
        proto tcp syn REDIRECT to-ports 9040; # TransPort
      }
    }
  }
}

Apply:

# invoke-rc.d ferm reload

[h=3]Port forwarding[/h]The only port you need to forward from your router to your TOR server is 9001.

If your router is also a Linux server, you can do this with ferm again. Edit /etc/ferm/ferm.conf:

domain ip {
  table nat {
    chain PREROUTING {
      daddr 1.2.3.4 {
        proto tcp dport 9001 DNAT to 192.168.0.1; # ORPort
      }
    }
  }
}

Apply:

# invoke-rc.d ferm reload

[h=3]Monitoring[/h]I like ARM, the Anonymizing Relay Monitor in console:

screenshot_arm_page1_cropped.png

Install:

# apt-get install tor-arm

And start it:

# arm

You can also run arm remotely, by connecting on the ControlPort (9051) and using the control password.

[h=3]Use TOR on the workstation[/h]Instead of using TOR for the whole system, let's add a tor user that will pass through TOR, while other users still use the normal connection:

# adduser tor

And now it is policy routing on user.

Edit /etc/ferm/ferm.conf to mark packets coming from tor user:

domain ip {
  table mangle {
    chain OUTPUT {
      mod owner uid-owner tor MARK set-mark 0x1;
    }
  }
}

Apply:

# invoke-rc.d ferm reload

And route packets differently based on the mark:

# ip rule add fwmark 0x1 table 100
# ip route add default via 192.168.0.1 table 100
# ip route flush cache

To persist after reboot, edit /etc/network/interfaces and add 3 post-up to your network interface:

auto eth0
iface eth0 inet static
  address 192.168.0.2
  netmask 255.255.255.0
  gateway 192.168.0.254

  post-up ip rule add fwmark 0x1 table 100
  post-up ip route add default via 192.168.0.1 table 100
  post-up ip route flush cache

Now try:

tor$ curl ifconfig.me
[not your IP but a TOR exit node]

Posted by StalkR at 22:22

Sursa: StalkR's Blog: TOR relay and transparent routing

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...