TransPort: Convert iptables to pf
Hello! Does anybody know how to convert this to pf rules in FreeBSD: iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040 I' running a Tor client in a jail on a different IP and want to route only the .onion traffic through. The DNS stuff is working fine, but I can't find a solution for the above iptables rule, which is working. I like transparently do DNS and Routing for .onion traffic on the network. I looked into the wiki and also find some pf rules, which are routing all the traffic though Tor, but this only works locally. The machine is on FreeBSD 11.0-STABLE. Tor is running in a jail with cloned loopback interface (lo1) and has also a private IP address on the main NIC. Maybe you have some hints. Thanks a lot Regards,
diffusae:
I looked into the wiki and also find some pf rules, which are routing all the traffic though Tor, but this only works locally.
You're likely talking about this wiki: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#Anonymizi... I've tried these rules for Anonymizing Middlebox (though on modern OpenBSD) quite some time ago and it seemed to work fine. These should not only work locally - it's for entire LAN. Are these ones you tried? -- Ivan Markin
Hi! Thanks a lot for your reply. On 21.12.2016 20:46, Ivan Markin wrote:
diffusae:
I looked into the wiki and also find some pf rules, which are routing all the traffic though Tor, but this only works locally.
You're likely talking about this wiki: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#Anonymizi...
Yes I've tried something similar.
I've tried these rules for Anonymizing Middlebox (though on modern OpenBSD) quite some time ago and it seemed to work fine. These should not only work locally - it's for entire LAN. Are these ones you tried?
rdr pass on ue0 inet proto tcp from any to !($int_if) -> 127.0.0.1 port 9040 or rdr pass on $int_if inet proto tcp to 10.192.0.0/10 -> 127.0.0.1 port $trans_port I've tried it also inside the jail as on the host and I always get a "Connection refused" The packets are routed to the IP, but I looks like they are rejected. I don't know why. Normally it should work. Otherwise, if I remove my iptables rule on the Linux host, than I got a "No route to host" Looks like routing to internal IP isn't working, but I can see the packets on the FreeBSD host. Strange ... It looks like, I am doing something wrong. Regards,
See https://trac.torproject.org/projects/tor/ticket/21045 but perhaps there is some flag required. -- http://www.fastmail.com - Access all of your messages and folders wherever you are
diffusae:
Hello!
Hi Diffusae
Does anybody know how to convert this to pf rules in FreeBSD:
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
I' running a Tor client in a jail on a different IP and want to route only the .onion traffic through.
The DNS stuff is working fine, but I can't find a solution for the above iptables rule, which is working. I like transparently do DNS and Routing for .onion traffic on the network.
I looked into the wiki and also find some pf rules, which are routing all the traffic though Tor, but this only works locally.
The machine is on FreeBSD 11.0-STABLE. Tor is running in a jail with cloned loopback interface (lo1) and has also a private IP address on the main NIC.
I am running a Tor node in a Freebsd jail with the following pf rules : scrub in all nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL -> $IP_JAIL_TOR port $PORT_TOR_JAIL It passes the exit traffic to th public IP. The incoming traffic is passed to the different jail IPs according to the port. Be careful with the cloned interface and the /etc/hosts configurations for your BSD and jails. Misconfiguration also often leads to network problems.
Maybe you have some hints.
Thanks a lot
Regards,
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi! Thanks for your reply. On 26.12.2016 15:32, Corl3ss wrote:
diffusae:
Hello!
Hi Diffusae
Does anybody know how to convert this to pf rules in FreeBSD:
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
I' running a Tor client in a jail on a different IP and want to route only the .onion traffic through.
The DNS stuff is working fine, but I can't find a solution for the above iptables rule, which is working. I like transparently do DNS and Routing for .onion traffic on the network.
I looked into the wiki and also find some pf rules, which are routing all the traffic though Tor, but this only works locally.
The machine is on FreeBSD 11.0-STABLE. Tor is running in a jail with cloned loopback interface (lo1) and has also a private IP address on the main NIC.
I am running a Tor node in a Freebsd jail with the following pf rules :
scrub in all nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL -> $IP_JAIL_TOR port $PORT_TOR_JAIL
That looks good. There is no "pass out quick" or "pass out on" statement?
It passes the exit traffic to th public IP. The incoming traffic is passed to the different jail IPs according to the port.
Is the outgoing traffic routed, too?
Be careful with the cloned interface and the /etc/hosts configurations for your BSD and jails. Misconfiguration also often leads to network problems.
Yes, that's it. I've tested the known rules for Transparent Proxy on a FreeBSD11 (amd64) VM. https://github.com/lattera/transtor/blob/master/pf.conf It was no problem to configure it with a cloned interface. It works on the fly, but there was no jail. I've tried the same configuration with FreeBSD11 for armv6 (RPI-B), with and without a jail and it only works locally and also dropped all other network connections. I am not sure, if something is missing in RPI ISO-Images Snapshots, but the main problem should be cloned interface. It was hard to discover, but on the end, I have had a "connection timeout". Do you use any "special" configuration inside the jail? Like "defaultrouter=" or "gateway_enable=" on the host, etc? Only because of the NAT rule. So, thanks again Best regards,
diffusae:
I am running a Tor node in a Freebsd jail with the following pf rules :
scrub in all nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL -> $IP_JAIL_TOR port $PORT_TOR_JAIL
That looks good.
There is no "pass out quick" or "pass out on" statement?
Sure, there is. pass out on $ext_if proto { tcp udp icmp } all modulate state Be sure to flush and reload the rules before testing, but you certainly did.
It passes the exit traffic to th public IP. The incoming traffic is passed to the different jail IPs according to the port.
Is the outgoing traffic routed, too?
Be careful with the cloned interface and the /etc/hosts configurations for your BSD and jails. Misconfiguration also often leads to network problems.
Yes, that's it. I've tested the known rules for Transparent Proxy on a FreeBSD11 (amd64) VM.
https://github.com/lattera/transtor/blob/master/pf.conf
It was no problem to configure it with a cloned interface. It works on the fly, but there was no jail.
I've tried the same configuration with FreeBSD11 for armv6 (RPI-B), with and without a jail and it only works locally and also dropped all other network connections. I am not sure, if something is missing in RPI ISO-Images Snapshots,
Would be surprising as not much is needed to make it work. but the main problem should be cloned interface.
It was hard to discover, but on the end, I have had a "connection timeout". Do you use any "special" configuration inside the jail?
Nothing more than a operational resolv.conf and an adapted /etc/hosts
Like "defaultrouter=" or "gateway_enable=" on the host, etc?
Yes both are configured/activated in /etc/rc.conf (like pf and pflog)
Hi! On 26.12.2016 18:17, Corl3ss wrote:
diffusae:
I've tried the same configuration with FreeBSD11 for armv6 (RPI-B), with and without a jail and it only works locally and also dropped all other network connections. I am not sure, if something is missing in RPI ISO-Images Snapshots,
Would be surprising as not much is needed to make it work.
Yes, indeed. It also was a lot work to get a jail running on the RPi. If you try a "build world" an the RPi itself, it took more that three days. ;-) But now it looks like, that there a a module or a kernel configuration missing. Maybe there is something with USB network driver. I don't know. With this "normally" working rule for transparent proxy all connections from the LAN are immediately closed. So, there is a bit of investigation needed.
Do you use any "special" configuration inside the jail?
Nothing more than a operational resolv.conf and an adapted /etc/hosts
Like "defaultrouter=" or "gateway_enable=" on the host, etc?
Yes both are configured/activated in /etc/rc.conf (like pf and pflog)
That's the same, I've configured. Regards,
On Wed, Dec 28, 2016 at 11:07 AM, diffusae <punasipuli@t-online.de> wrote:
If you try a "build world" an the RPi itself, it took more that three days. ;-)
Need to buildworld is rare and usually noted in UPDATING and kernel config files. make buildkernel will be much faster, and even faster if you strip out junk you don't need from the kernel config, which also speeds booting and saves ram. Latest snapshots are here if they help avoid a build... https://docs.freebsd.org/mail/archive/2016/freebsd-snapshots/20161225.freebs... ftp://ftp.freebsd.org/pub/FreeBSD/snapshots/
Hi! Thanks a lot for your hint. On 28.12.2016 19:52, grarpamp wrote:
Need to buildworld is rare and usually noted in UPDATING and kernel config files. make buildkernel will be much faster, and even faster if you strip out junk you don't need from the kernel config, which also speeds booting and saves ram.
I needed the buildworld to create a jail with ezjail. I only tested this once on the RPi. It's better to use cross-compiling. To build a custom kernel isn't only faster, it also saves energy. On a Linux box I can power a RPI-B with around 400 mA. With the snapshot kernel it needs definitely more. If I strip out all unneeded components from the kernel config, it should use the same amperage.
Latest snapshots are here if they help avoid a build... https://docs.freebsd.org/mail/archive/2016/freebsd-snapshots/20161225.freebs... ftp://ftp.freebsd.org/pub/FreeBSD/snapshots/
Thanks, I always use the latest snapshots for the RPi. Regards,
On Wed, Dec 28, 2016 at 5:07 PM, diffusae <punasipuli@t-online.de> wrote:
I needed the buildworld to create a jail with ezjail.
If you break some of these down all they do is lay down an installworld in DESTDIR and run jail on it. Too heavy for some who tar up / and /usr and lay them down instead. Or bsdinstall into the same dir.
It's better to use cross-compiling.
For sure.
To build a custom kernel isn't only faster, it also saves energy. On a Linux box I can power a RPI-B with around 400 mA. With the snapshot kernel it needs definitely more. If I strip out all unneeded components from the kernel config, it should use the same amperage.
If you're tracking power like this, you could post your 'same use case' power comparisons to the freebsd-arm list, people there would likely be interested. Killing off all but init ttys sshd tor dns ntp would help too.
Hi! On 29.12.2016 00:16, grarpamp wrote:
On Wed, Dec 28, 2016 at 5:07 PM, diffusae <punasipuli@t-online.de> wrote:
I needed the buildworld to create a jail with ezjail.
If you break some of these down all they do is lay down an installworld in DESTDIR and run jail on it. Too heavy for some who tar up / and /usr and lay them down instead. Or bsdinstall into the same dir.
Yes, that is, what I am doing now.
It's better to use cross-compiling.
For sure.
To build a custom kernel isn't only faster, it also saves energy. On a Linux box I can power a RPI-B with around 400 mA. With the snapshot kernel it needs definitely more. If I strip out all unneeded components from the kernel config, it should use the same amperage.
If you're tracking power like this, you could post your 'same use case' power comparisons to the freebsd-arm list, people there would likely be interested.
Yes, I will do. I don't track the power. I've had a USB power meter some time ago and use it with a Li-battery. So yet, I know the power from the battery. But I could do so, if it is interesting.
Killing off all but init ttys sshd tor dns ntp would help too.
Yes, that could help. But the main problem is, that you cannot completely disable all unneeded device (like gpio, hdmi, spi) with the CONFIG.TXT in FreeBSD like it works in Linux. But, yes I can compare the "same use case" for a RPi on FreeBSD and Linux. Regards,
participants (5)
-
Corl3ss -
diffusae -
Geoff Down -
grarpamp -
Ivan Markin