[tor-talk] Installing Debian 7.3 Wheezy as Tor gateway
alycetaylor at bitmessage.ch
alycetaylor at bitmessage.ch
Sat Jan 11 07:16:56 UTC 2014
This is a transparent tor proxy setup.
Original article can be found at http://hbjw7wjeoltskhol.onion/blog/view/13347/installing-debian-73-wheezy-as-tor-gateway
I would appreciate any feedback on how secure or sound this is.
Especially if anything should be added with sysctl
Thanks for taking the time.
------------------------------------
Installing Debian 7.3 Wheezy as Tor gateway
I think it's about time I revisited this old topic (http://hbjw7wjeoltskhol.onion/blog/view/3251/wip-safe-secure-hidden-service-proposal).
This isn't perfect, macchanger kept messing up and I'm not doing any timezone changes. I also couldn't find the torbutton plugin anywhere. If you know how set those up lemme know.
SOMEONE PLEASE REVIEW!
After doing this I noticed that it's NOT the same as setting up a normal gateway.
You don't need to do any Masquerading, also you don't need to set the sysctl /proc/sys/net/ipv4/ip_forward flag
Most of this will be a ripoff from the Tails and Whonix projects :)
And this https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
*** Goals ***
The goal is to setup debian on a computer with 2 network cards and it will act as a gateway to *compromised* machines which we'll call clients
It will run standalone tor as a daemon acting as a tor gateway but at the same time it will allow using TBB 3.5
The client connected to the network *does not* need any special configuration other that setting the static IP, nameserver and gateway.
The client can also host a website or a service and it will only be accessible via the gateway.
The client must not be able to access the gateway apart from DNS and must not be able to access any of the machines on the LAN.
The client must not be able to get it's network public IP.
Computers on the LAN must not be able to access the client machine. Only the gateway is allowed access.
All internet tcp traffic will go thru tor.
*** Requirements ***
1) A physical computer with 2 ethernet cards.
The side connected to the private lan will have IP 10.10.10.3 and gateway to the internet via 10.10.10.1, it will be called eth0
The side connected to the compromised clients will have IP 10.20.20.4, it will be called eth1
2) Any computer that will act as a client it can have any IP in the 10.20.20.0 range other than 10.20.20.4
Setup the networking configurations of the client computer to the following:
IP: 10.20.20.10
DNS: 10.20.20.4
Gateway: 10.20.20.4
Netmask: 255.255.255.0
Also run a webserver on the client listening on port 80 and accepting connections from 10.20.20.4
A switch to connect to 2 computers together.
Let's get started.
***Debian DVD Install***
First I downloaded and burned the 1st Debian DVD debian-7.3.0-i386-DVD-1.iso
I followed the default installation steps including:
Using full guided LVM. (For encrypted LVM it will take a long time to wipe)
Added the debian ftp repo to the sources file.
I only selected the Debian Desktop Enviroment and SSH, I deselected print server.
And created the non-admin user amnesia.
basic stuff.
*** First Boot ***
*** Create the user clearnet ***
Log into amnesia user and create a new user called clearnet.
You can either adduser or from the GUI click on Activity and in the search type User Accounts.
*** Disable root ssh ***
Next edit the file /etc/ssh/sshd_config
Uncomment the line
ListenAddress 0.0.0.0
and change the line PermitRootLogin yes to
PermitRootLogin no
*** Optional: Removing the DVD from apt sources ***
Edit /etc/apt/sources.list and uncomment the line that starts with deb cdrom
*** Disable a bunch of daemons ***
Next go to the folder /etc/rc2.d and list it.
Enabled services start with SXX and disabled services start with KXX
We want to disable network-manager from running.
To test run a command use the -n flag.
*Note: You don't have to disable all of them
update-rc.d network-manager disable
update-rc.d avahi-daemon disable
update-rc.d bluetooth disable
update-rc.d minissdpd disable
update-rc.d speech-dispatcher disable
update-rc.d saned disable
*** Setup the network interfaces ***
Next I assign IPs to the network interfaces.
Edit the file /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
post-up /root/spoof-iptables.sh
auto eth0
iface eth0 inet static
address 10.10.10.3
netmask 255.255.255.0
gateway 10.10.10.1
broadcast 10.10.10.255
#pre-up /root/spoof-iptables.sh
auto eth1
iface eth1 inet static
address 10.20.20.4
netmask 255.255.255.0
broadcast 10.20.20.255
*** Setup iptables and macchanger scripts ***
Create a new file /root/spoof-iptables.sh
#!/bin/sh
#
/root/spoof.mac.sh
/root/iptables.up.rules.sh
Create the file /root/spoof.mac.sh
#!/bin/sh
#
#macchanger -e eth0
#macchanger -e eth1
Create the file /root/iptables.up.rules.sh
#!/bin/sh
#
echo "nameserver 127.0.0.1" > /etc/resolv.conf
########################################################
# Flush previous rules, delete chains and reset counters
########################################################
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
##########################
# Default policies *filter
##########################
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
##################
#Log for debugging
##################
#/sbin/iptables -A INPUT -j LOG --log-prefix "Inbound packet: " --log-level 7 --log-uid
#/sbin/iptables -A OUTPUT -j LOG --log-prefix "Outbound packet: " --log-level 7 --log-uid
#/sbin/iptables -t nat -A OUTPUT -j LOG --log-prefix "Nat output packet: " --log-level 7 --log-uid
#/sbin/iptables -t nat -A PREROUTING -j LOG --log-prefix "Nat prerouting packet: " --log-level 7 --log-uid
#/sbin/iptables -t nat -A POSTROUTING -j LOG --log-prefix "Nat post-routing packet: " --log-level 7 --log-uid
##########
#LAN chain
##########
/sbin/iptables -N lan
#/sbin/iptables -A lan -j LOG --log-prefix "lan packet: " --log-level 7 --log-uid
/sbin/iptables -A lan -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A lan -j ACCEPT
#############
#OUTPUT chain
#############
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
####################################################
#lan networks I want to connect to from this machine
####################################################
/sbin/iptables -A OUTPUT -d 10.10.10.0/255.255.255.0 -j lan
/sbin/iptables -A OUTPUT -d 10.20.20.0/255.255.255.0 -j lan
#/sbin/iptables -A OUTPUT -d 10.0.0.0/8 -j lan
#/sbin/iptables -A OUTPUT -d 172.16.0.0/12 -j lan
#/sbin/iptables -A OUTPUT -d 192.168.0.0/16 -j lan
#############################################
#Allow debian-tor user and VirtualAddrNetwork
#############################################
/sbin/iptables -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
/sbin/iptables -A OUTPUT -d 10.192.0.0/10 -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --syn --dport 9040 -j ACCEPT
###########################################
#other daemon users that are granted access
###########################################
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 25 -m owner --uid-owner Debian-exim -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 9050 -m owner --uid-owner nobody -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 9050 -m owner --uid-owner privoxy -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 9050 -m owner --uid-owner proxy -j ACCEPT
##########
#root user
##########
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 9051 -m owner --uid-owner root -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 8118 -m owner --uid-owner root -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 9050 -m owner --uid-owner root -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
#############
#amnesia user
#############
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 25 -m owner --uid-owner amnesia -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 8118 -m owner --uid-owner amnesia -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 9050 -m owner --uid-owner amnesia -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 9052 -m owner --uid-owner amnesia -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 9150 -m owner --uid-owner amnesia -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 9151 -m owner --uid-owner amnesia -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p udp -m udp --dport 53 -m owner --uid-owner amnesia -j ACCEPT
##############
#clearnet user
##############
/sbin/iptables -A OUTPUT ! -o lo -p tcp -m owner --uid-owner clearnet -j ACCEPT
/sbin/iptables -A OUTPUT ! -o lo -p udp -m owner --uid-owner clearnet -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --syn --dport 9150 -m owner --uid-owner clearnet -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 9151 -m owner --uid-owner clearnet -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -p udp -m udp --dport 53 -m owner --uid-owner clearnet -j ACCEPT
######################
#OUTPUT LOG and REJECT
######################
#/sbin/iptables -A OUTPUT -j LOG --log-prefix "Dropped outbound packet: " --log-level 7 --log-uid
/sbin/iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
############
#INPUT chain
############
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
##########################################################
#Allow ssh connections to this computer from 10.10.10.0/24
##########################################################
/sbin/iptables -A INPUT -s 10.10.10.0/255.255.255.0 -p tcp -m state --state NEW --dport 22 -j ACCEPT
################################################################
#allow gateway access for eth1 and drop silently everything else
################################################################
/sbin/iptables -A INPUT -i eth1 -d 10.20.20.4/255.255.255.255 -p udp -m udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -d 10.20.20.4/255.255.255.255 -p tcp -m tcp --syn --dport 9040 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j DROP
#####################
#INPUT LOG and REJECT
#####################
#/sbin/iptables -A INPUT -j LOG --log-prefix "Dropped inbound packet: " --log-level 7 --log-uid
/sbin/iptables -A INPUT -j REJECT
#######################
#FORWARD LOG and REJECT
#######################
#/sbin/iptables -A FORWARD -j LOG --log-prefix "Dropped forward packet: " --log-level 7 --log-uid
/sbin/iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable
##########
#NAT RULES
##########
/sbin/iptables -t nat -A OUTPUT -o lo -j RETURN
##############################################
#Redirect VirtualAddrNetwork for local machine
##############################################
/sbin/iptables -t nat -A OUTPUT -p tcp --syn -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
#############################
#Don't mess with lan networks
#############################
/sbin/iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A OUTPUT -d 172.16.0.0/12 -j RETURN
/sbin/iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN
#######################################
#Don't mess with debian-tor or clearnet
#######################################
/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner debian-tor -j RETURN
/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner clearnet -j RETURN
###########################################
#Redirect dns and tcp for local machine
###########################################
/sbin/iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
#/sbin/iptables -t nat -A OUTPUT -j LOG --log-prefix "Nat output fall: " --log-level 7 --log-uid
##############################################
#Redirect VirtualAddrNetwork for eth1 machines
##############################################
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
#####################################
#Don't mess with eth1 lan connections
#####################################
/sbin/iptables -t nat -A PREROUTING -i eth1 -d 127.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A PREROUTING -i eth1 -d 10.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A PREROUTING -i eth1 -d 172.16.0.0/12 -j RETURN
/sbin/iptables -t nat -A PREROUTING -i eth1 -d 192.168.0.0/16 -j RETURN
#/sbin/iptables -t nat -A PREROUTING -j LOG --log-prefix "Nat prerouting Done: " --log-level 7 --log-uid
#######################################
#Redirect dns and tcp for eth1 machines
#######################################
/sbin/iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j REDIRECT --to-ports 53
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --syn -j REDIRECT --to-ports 9040
#/sbin/iptables -t nat -A PREROUTING -j LOG --log-prefix "Nat prerouting fall: " --log-level 7 --log-uid
#####
#IPv6
#####
########################################################
# Flush previous rules, delete chains and reset counters
########################################################
/sbin/ip6tables -F
/sbin/ip6tables -X
/sbin/ip6tables -Z
##########################
# Default policies *filter
##########################
/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP
############
#INPUT chain
############
/sbin/ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#############
#OUTPUT chain
#############
/sbin/ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#/sbin/ip6tables -A OUTPUT -j LOG --log-prefix "Dropped outbound packet: " --log-level 7 --log-uid
/sbin/ip6tables -A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
make the scripts executable with chmod
chmod +x *.sh
*** Install required packages ***
Next let's install a bunch of packages that we'll need
apt-get install vidalia tor tor-geoipdb torsocks tor-arm privoxy
Some other packages of interest:
apt-get install vim screen curl socat netcat hping3 tshark htop dsniff macchanger
*** Setting up privoxy ***
Edit /etc/privoxy/config
change listen-address localhost:8118 to
listen-address 127.0.0.1:8118
also uncomment the line
forward-socks5 / 127.0.0.1:9050 .
*** Setting up TOR ***
Add the following lines to your /etc/tor/torrc file
*Note the IP of the hidden service!
VirtualAddrNetwork 10.192.0.0/10
#VirtualAddrNetworkIPv4 10.192.0.0/10
TransPort 127.0.0.1:9040
TransPort 10.20.20.4:9040
AutomapHostsOnResolve 1
AvoidDiskWrites 1
ControlListenAddress 127.0.0.1
ControlPort 9051
DNSPort 127.0.0.1:53
DNSPort 10.20.20.4:53
SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9052
#SocksPort 10.20.20.4:9053 IsolateDestAddr IsolateDestPort
#SocksPort 10.20.20.4:9054 IsolateDestAddr
#SocksPort 10.20.20.4:9055 IsolateDestPort
#SocksPort 10.20.20.4:9056
WarnUnsafeSocks 0
#HiddenServiceDir /var/lib/tor/local_http_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServiceDir /var/lib/tor/local_webmin_hidden_service/
#HiddenServicePort 10000 127.0.0.1:10000
#HiddenServicePort 22 127.0.0.1:22
HiddenServiceDir /var/lib/tor/http_hidden_service/
HiddenServicePort 80 10.20.20.10:80
HiddenServiceDir /var/lib/tor/ssh_hidden_service/
HiddenServicePort 22 10.20.20.10:22
*** Setting up HTTP_PROXY (OPTIONAL)***
Add the following lines to the end of
/root/.bashrc
and
/home/amnesia/.bashrc
export http_proxy=http://127.0.0.1:8118
export HTTPS_PROXY=http://127.0.0.1:8118
export https_proxy=http://127.0.0.1:8118
export HTTP_PROXY=http://127.0.0.1:8118
*** Setup Iceweasel for user amnesia ***
Open Iceweasel as user amnesia and install the following addons
Disconnect
Https-Everywhere (from https://www.eff.org/https-everywhere)
NoScript
Adblock Edge
If you find standalone Torbutton plugin let me know :)
*OPTIONAL*
Next go to Edit->Preferences->Advanced->Network->Settings
and Enter 127.0.0.1 9052 in the Socks host field.
*** Reboot and pray ***
Everything should work after the reboot :)
You can use TBB 3.5 with the amnesia user or the clearnet user. Don't worry it won't conflict with the daemon tor. TBB 3.5 uses ports 9150 and 9151
cat /var/lib/tor/http_hidden_service/hostname to get the hidden service address and try it out :)
*** Gateway & Clients time sync ***
This is how to sync your clock using the Tails approach.
https://tails.boum.org/contribute/design/Time_syncing/
First install some required perl packages
apt-get install libdatetime-perl libdatetime-format-dateparse-perl libgetopt-long-descriptive-perl
Download htpdate from Tails website https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/usr/local/sbin/htpdate
create a small script called run-htpdate.sh to run htpdate
HTP_POOL_PAL="boum.org,chavez.indymedia.org,db.debian.org,epic.org,mail.riseup.net,sarava.org,squat.net,tachanka.org,www.1984.is,www.eff.org,www.immerda.ch,www.privacyinternational.org,www.torproject.org"
HTP_POOL_NEUTRAL="cve.mitre.org,en.wikipedia.org,lkml.org,thepiratebay.org,www.apache.org,www.centos.org,www.democracynow.org,www.duckduckgo.com,www.gnu.org,www.kernel.org,www.mozilla.org,www.stackexchange.com,www.startpage.com,www.xkcd.com"
HTP_POOL_FOE="encrypted.google.com,github.com,login.live.com,login.yahoo.com,secure.flickr.com,tumblr.com,twitter.com,www.adobe.com,www.gandi.net,www.myspace.com,www.paypal.com,www.rsa.com,www.sony.com"
HTTP_USER_AGENT="Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"
date
./htpdate --debug \
--log_file "HTP_LOG.txt" \
--user_agent "$HTTP_USER_AGENT" \
--allowed_per_pool_failure_ratio 0.34 \
--user root \
--done_file "HTP_DONE.txt" \
--success_file "HTP_SUCCESS.txt" \
--pal_pool "$HTP_POOL_PAL" \
--neutral_pool "$HTP_POOL_NEUTRAL" \
--foe_pool "$HTP_POOL_FOE"
# --proxy 127.0.0.1:9062
date
make htpdate and run-htpdate.sh executable with chmod +x then run run-htpdate.sh.
You can add run-htpdate.sh to your crontab
More information about the tor-talk
mailing list