Hello,
assuming I have a friend, Bob. He has two IP addresses and wants to contribute to the tor network. He doesn't want to operate an exit, relay or bridge himself, though. I offer him to operate the bridges on my hardware and he's magically forwarding the required ports from his machines IPs to my machine so I do the relaying part of the bridging game. Bridge users benefit from the additional IP addresses that have to be blacklisted.
I'm looking for a way to implement this.
I could only think of
*) inetd + nc *) dark iptables nat magic *) some sort of ip-over-ip tunnels
which would all be kind of hacky, require installation of addition software and would probably have sideeffects on tors bridge stats.
Can I announce an address that isn't directly mine? Can I use my address for outbound traffic to the next relay or do I need to use the "bridge address" for that?
Is there a flaw in there? Is somebody already doing that? I'm putting this up for discussion.
If I can get this working for Bob I could probably get access to some subnets from Charlie and Dave..
Waiting for input.
Truly yours, Alice.
On Fri, 2 May 2014, kzhm@mailtor.net wrote:
*) dark iptables nat magic
You can do source+destination NAT (aka "hairpinning") using only the iptables command, which is often installed already on most Linux boxes. This is the equivalent of having a port-forwarding TCP proxy.
Assuming your external-facing interface is eth0, you want to forward your local TCP port 5432 to the remote IP 2.3.4.5 on port 6789, this would be:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5432 -j DNAT --to-destination 2.3.4.5:6789
iptables -t nat -A POSTROUTING -d 2.3.4.5 -o eth0 -j MASQUERADE
You also need to enable IP forwarding, which can be done in a distribution specific way, or directly with:
sysctl net.ipv4.ip_forward=1
Can I announce an address that isn't directly mine? Can I use my address for outbound traffic to the next relay or do I need to use the "bridge address" for that?
I don't know about the announcements, though.
-- Aaron
Thank you, Aaron.
You can do source+destination NAT (aka "hairpinning") using only the iptables command, which is often installed already on most Linux boxes. This is the equivalent of having a port-forwarding TCP proxy.
Assuming your external-facing interface is eth0, you want to forward your local TCP port 5432 to the remote IP 2.3.4.5 on port 6789, this would be:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5432 -j DNAT --to-destination 2.3.4.5:6789
iptables -t nat -A POSTROUTING -d 2.3.4.5 -o eth0 -j MASQUERADE
This looks great. Especially since I can do this on a router for a whole subnet.
This would change the src ip, too, so the donating host would appear to be the bridge user. I don't think there's a proper way around that, so maybe we could just ignore that? Would be nice if somebody who's responsible for the stats could comment on this.
Truly yours, Alice
Bob bailed. He agreed while being drunk and, in retrospective, he doubts it's a good idea to forward ports from his employers servers to me to do tor things.
I still think it'd be fun to set this up, so I'm opening my offer to this list.
If you have some IPs that aren't yet associated with tor, I would host the bridges for you and you'd have to forward the ports to me. I'll take care of the rest. Your IPs won't be listed in public, since they're bridges.
Things I need to know:
- the address(es) you want to donate - the or port you want to forward to me (can be any port that isn't in use yet) - if you're ok with forwarding two more (randomly picked) ports to me, so I'd host obfsproxy[1] transport on them, to further circumvent censorship.
[1]: https://www.torproject.org/projects/obfsproxy.html.en
I doubt somebody would forward ports to a random stranger, so I don't expect that much responses. Anyway, feel free to contact me.
Also, if you want to setup a bridge or relay on your own you can ask me to assist via email or jabber/xmpp.
Truly yours, Alice
tor-relays@lists.torproject.org
-
Aaron Hopkins -
kzhm@mailtor.net