[tor-bugs] #5741 [Tor bundles/installation]: TBB proxy bypass: Some DNS requests not going through Tor
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri May 4 18:00:57 UTC 2012
#5741: TBB proxy bypass: Some DNS requests not going through Tor
-----------------------------------------+----------------------------------
Reporter: cypherpunks | Owner: erinn
Type: defect | Status: closed
Priority: blocker | Milestone:
Component: Tor bundles/installation | Version:
Resolution: fixed | Keywords: MikePerry201205
Parent: | Points: 3
Actualpoints: 3 |
-----------------------------------------+----------------------------------
Comment(by unknown):
Replying to [comment:21 mikeperry]:
> For people who use layered defenses: Please add iptables rules/AppArmor
rules/whatever rules that LOG violations so we can learn about them.
I check following corrected steps:
=== Prevent and LOG any potential DNS-leakage with iptables (Debian
GNU/Linux way) ===
Edit /etc/login.defs, replace "ENCRYPT_METHOD DES" to "ENCRYPT_METHOD
SHA-512"
#default DES is equivalent to 8-symbols passwords for groups and insecure
Run command for create system tbb-group with password and without shell:
`addgroup --system tbb-tor`
Check that you use rsyslog and not a syslog daemon:
`dpkg -L rsyslog`
or install it:
`apt-get install rsyslog`
Create a file /etc/rsyslog.d/iptables.conf with the following contents:
{{{
:msg, contains, "iptables" -/var/log/iptables.log
& ~
}}}
Create a file /etc/logrotate.d/iptables with the following contents:
{{{
/var/log/iptables.log{
daily
rotate 5
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
}}}
Restart syslog:
`/etc/init.d/rsyslog restart`
Add this rules to your firewall script and restart it:
{{{
$IPTABLES -t nat -A OUTPUT -o lo -j RETURN
$IPTABLES -t nat -A OUTPUT -d 127.0.0.1 -j RETURN
#tor anonymous users;
DIRECT_OUT_GID="tbb-tor" #group id for TBB
TOR_UID="debian-tor" #system tor (if you use it)
# with options:
# AutoMapHostsOnResolve 1
# TransPort 9040
# DNSPort 53
ANONYMOUS_UID="toranonymoususer" #if you use anonymous transparent
torification to system tor
#anonymous user runs programs with transparent torification to system tor
#(if you use it):
$IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner $ANONYMOUS_UID !
--gid-owner $DIRECT_OUT_GID -m tcp --syn -j REDIRECT --to-ports 9040
$IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner $ANONYMOUS_UID !
--gid-owner $DIRECT_OUT_GID -m udp --dport 53 -j REDIRECT --to-ports 53
$IPTABLES -t nat -A OUTPUT -m owner --uid-owner $ANONYMOUS_UID ! --gid-
owner $DIRECT_OUT_GID -j LOG --log-prefix "iptables $ANONYMOUS_UID
redirect" #some potential leakages redirected to localhost and not going
away
$IPTABLES -t nat -A OUTPUT -m owner --uid-owner $ANONYMOUS_UID ! --gid-
owner $DIRECT_OUT_GID -j DNAT --to-destination 127.0.0.1
#Accept output for system-tor itself (if you use it)
$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
#Direct output for TBB without udp and tcp 53 port
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID ! -p tcp -j LOG
--log-prefix "iptables tbb reject: "
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID ! -p tcp -j
REJECT
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID -p tcp --dport
53 -j LOG --log-prefix "iptables tbb reject: "
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID -p tcp --dport
53 -j REJECT
$IPTABLES -A OUTPUT -m owner --gid-owner $DIRECT_OUT_GID -j ACCEPT
}}}
Run tor-browser with sg from x-terminal emulator:
`sg tbb-tor -c start-tor-browser.sh`
Watch /var/log/iptables.log with your favorite parser.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5741#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list