[tor-relays] TransPort: Convert iptables to pf

diffusae punasipuli at t-online.de
Mon Dec 26 15:23:12 UTC 2016


Hi!

Thanks for your reply.

On 26.12.2016 15:32, Corl3ss wrote:
> 
> diffusae:
>> Hello!
>>
> 
> Hi Diffusae
> 
> 
>> Does anybody know how to convert this to pf rules in FreeBSD:
>>
>> iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports
>> 9040
>>
>> I' running a Tor client in a jail on a different IP and want to route
>> only the .onion traffic through.
>>
>> The DNS stuff is working fine, but I can't find a solution for the above
>> iptables rule, which is working. I like transparently do DNS and Routing
>> for .onion traffic on the network.
>>
>> I looked into the wiki and also find some pf rules, which are routing
>> all the traffic though Tor, but this only works locally.
>>
>> The machine is on FreeBSD 11.0-STABLE. Tor is running in a jail with
>> cloned loopback interface (lo1) and has also a private IP address on the
>> main NIC.
>>
> 
> 
> I am running a Tor node in a Freebsd jail with the following pf rules :
> 
> scrub in all
> nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB
> rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL ->
> $IP_JAIL_TOR port $PORT_TOR_JAIL

That looks good.

There is no "pass out quick" or "pass out on" statement?

> It passes the exit traffic to th public IP. The incoming traffic is
> passed to the different jail IPs according to the port.

Is the outgoing traffic routed, too?

> Be careful with the cloned interface and the /etc/hosts configurations
> for your BSD and jails. Misconfiguration also often leads to network
> problems.

Yes, that's it. I've tested the known rules for Transparent Proxy on a
FreeBSD11 (amd64) VM.

https://github.com/lattera/transtor/blob/master/pf.conf

It was no problem to configure it with a cloned interface. It works on
the fly, but there was no jail.

I've tried the same configuration with FreeBSD11 for armv6 (RPI-B), with
and without a jail and it only works locally and also dropped all other
network connections. I am not sure, if something is missing in RPI
ISO-Images Snapshots, but the main problem should be cloned interface.
It was hard to discover, but on the end, I have had a "connection timeout".

Do you use any "special" configuration inside the jail?
Like "defaultrouter=" or "gateway_enable=" on the host, etc?
Only because of the NAT rule.

So, thanks again

Best regards,


More information about the tor-relays mailing list