Yet another UDP / DNS quiestion...
Tomasz Moskal
ramshackle.industries at gmail.com
Sat Feb 12 04:30:37 UTC 2011
I feel that I should explain something before I start asking any
questions so here we go: I'm a fresh convert to Linux (barely few week
on Ubuntu!) and as much as I'm fascinated by the matters relating to
networking, security and anonymity in equal measure I'm intimidated by
them. I don't posses any deep knowledge of those topics, I still barely
can handle the basics. But with the wealth of knowledge out there and a
healthy dose of experimentation I intend to change this. So if my
questions are naive (or plainly stupid) please bear in mind that I'm new
here. And now for what is bordering me...
I was reading Transparently Routing Traffic Through Tor
<https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy> and although I don't need to run Tor as transparent proxy I like the idea of routing the UDP/DNS requests to localhost. If I will reroute all those requests with iptables to the port on which Tor is listening I should have no problems with DNS leaking, right? That should do the trick then:
1. torrc
DNSPort 53
DNSListenAddress 127.0.0.1
2. resolv.conf
nameserver 127.0.0.1
3. iptables
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT
--to-ports 53
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT
I'm not an expert regarding iptables and 'man iptables' is *very*
frightening for someone who barely slides on the surface of all this.
From steep three above I sort of understand purpose of rules three and
four but rest of them... Are they needed in this example or they can be
safely omitted? If in fact they are required for this set-up to work
what is their purpose? I will of course replace $INT_IF and $TOR_UID
with required values.
--
Tomasz Moskal <ramshackle.industries at gmail.com>
Encrypted mail preferred. Key ID: 2C323C82
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110212/7d882083/attachment.pgp>
More information about the tor-talk
mailing list