[tor-talk] almost success toward complete tor enforcement, need little help now
Raviji
raviji157 at gmail.com
Tue Sep 18 13:44:17 UTC 2012
Dear list,
I wonder if I can setup a box which provides complete traffic enforcement through tor.
The tails project has encouraged me to work in that direction. With the tails documentations and with
some online guide like
https://cryptoanarchy.org/wiki/Build_your_own_livething
I am able to setup my running debian system almost a tor encrypted box,
with some small hitches which I belief can easily be solved with your technical guidance.
obfsproxy issue
=================
I have installed tor,pdnsd,ttdnsd,obfsproxy,polipo,vidalia
I have already collected the obfs IP address from a running tor bundle and then placed all those
at /etc/tor/torrc. tor is running with obfs.
[Q] How can I check online that obfs is functional ? https://check.torproject.org/ simply shows
tor is running, but no obfs related information.
polipo and firewall
=====================
Browsers configured to use polopo ( tor as parent) and the online check is successful (https://check.torproject.org/)
[Q] Is polipo really fast ? I hardly see any advantage comparing direct tor connection with out polipo.
[Q] What is the iptables rule to redirect all 80 and 443 traffic through polipo 8118 port ? Then no configuration is
required at browser level.
DNS and firewall
=================
I am using pdnsd (caching DNS proxy server) and ttdnsd ( udp to tcp converter )
/etc/pdnsd.conf content with this:
global {
perm_cache = 2048;
cache_dir = "/var/cache/pdnsd";
run_as = "pdnsd";
server_ip = 127.0.0.1;
status_ctl = on;
min_ttl = 15m;
max_ttl = 1w;
timeout = 120;
}
# Tor DNS resolver
server {
label = "tor";
ip = 127.0.0.1;
port = 8853;
uptest = none;
exclude=".invalid";
policy=included;
proxy_only = on;
lean_query = on;
}
# ttdnsd
server {
label = "ttdnsd";
ip = 127.0.0.2;
port = 53;
uptest = none;
exclude=".invalid",".exit",".onion";
policy=included;
proxy_only = on;
lean_query = on;
}
/etc/tor/torrc has
DNSPort 8853
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
So ttdnsd running at port 53 at 127.0.0.2 and tor dns at 127.0.0.1 port 8853.
But nmap shows ( #nmap -p 1-65535 localhost )
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
111/tcp open rpcbind
631/tcp open ipp
8118/tcp open privoxy
9040/tcp open tor-trans
9050/tcp open tor-socks
9051/tcp open tor-control
no open port for tor-dns
[Q] How can I enforce all udp to go through local DNS port and which one 53 or 8853 ?
<...>
iptables -t nat -A OUTPUT ! -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
<...>
is not working. Can't do any dns resolution, even ping failed to gmail.com
iptables to route all traffic and blocked all non tor
======================================================
LAN and lo (localhost) don't need to go through tor
port 80/443 should go through poliop port 8118,
all dns query should go through local 53 ( or 8853 ? ) port
And the rest of the traffic should go through tor 9050 port, anything left should be dropped.
The example iptables given at tails site is not working for me. Could anyone kindly give such a
rule sets please ?
Many many thanks for designing tor :-)
More information about the tor-talk
mailing list