[tor-relays] Tor bridges on borrowed ports
kzhm at mailtor.net
kzhm at mailtor.net
Sat May 3 16:55:24 UTC 2014
Thank you, Aaron.
> You can do source+destination NAT (aka "hairpinning") using only the
> iptables command, which is often installed already on most Linux boxes.
> This is the equivalent of having a port-forwarding TCP proxy.
>
> Assuming your external-facing interface is eth0, you want to forward your
> local TCP port 5432 to the remote IP 2.3.4.5 on port 6789, this would be:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5432 -j DNAT
> --to-destination 2.3.4.5:6789
>
> iptables -t nat -A POSTROUTING -d 2.3.4.5 -o eth0 -j MASQUERADE
This looks great. Especially since I can do this on a router for a whole
subnet.
This would change the src ip, too, so the donating host would appear to be
the
bridge user. I don't think there's a proper way around that, so maybe we
could
just ignore that? Would be nice if somebody who's responsible for the stats
could comment on this.
Truly yours,
Alice
More information about the tor-relays
mailing list