Anonymous/Nonymous Communication Coexisting?

maillist maillist at piirakka.com
Wed Jun 8 16:35:45 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ----- Original Message -----
From: "Marcel" <u-281 at gmx.net>
To: <or-talk at freehaven.net>
Sent: Wednesday, June 08, 2005 6:38 PM
Subject: Re: Anonymous/Nonymous Communication Coexisting?


>* maillist (maillist at piirakka.com) wrote:
>> Hi
>> I'm running Tor on my router (Debian Sid) that transparently proxies
>> connections through Tor. This way you dont need to configure any clients.
>>
>> for http-traffic:
>> client - iptables (idenfication by ports and L7) - squid - privoxy -
>> tor -
>> server
>>
>> and for everything else:
>> client - iptables - transsocks - tor - server
>>
>> I'm controlling with iptables what gets  proxied and what not, everything
>> else is proxied through Tor expect VPN-connections and connections to
>> couple
>> of trusted servers. Udp, icmp and other protocols except tcp are dropped
>> at
>> the router. This way connections by software and games that "call home"
>> are
>> also proxied through Tor.
>>
>> Markus
>
> I'd be very happy to see an example of those iptable rules, Markus.
> Sounds
> pretty clever to me as a configuration.
>

I run in some problems with L7 so heres the rules without L7-classification
(very simple, not scalable at all, written only for my enviroment):


#!/bin/sh

# 192.168.10.1 = router
# 192.168.10.10 = workstation to proxy
# 192.168.10.1:3128 = Squid
# 192.168.10.1:1211 = Transsocks


INCLUDE="192.168.10.10"
EXCLUDE="192.168.0.0/16 127.0.0.1 10.12.77.0/24"


#Exceptions
for exception in ${EXCLUDE} ; do
        iptables -t nat -A PREROUTING --dst ${exception} -j RETURN
done

#Avoid feedback loops
#iptables -t nat -A PREROUTING -m owner --cmd-owner transocks -j RETURN

#Send to transocks
for host in ${INCLUDE} ; do
        #iptables -t nat -A PREROUTING -s ${host} -p tcp -j LOG --log-level
info --log-prefix "SOCKSify "
        iptables -t nat -A PREROUTING -s ${host} -d ! 192.168.10.1 -p
tcp --dport 80 -j REDIRECT --to-port 3128
        #iptables -t nat -A PREROUTING -s ${host} -p tcp --dport 80 -j
DNAT --to 192.168.10.1:3128
        iptables -t nat -A POSTROUTING -s ${host} -d 192.168.10.1 -j
SNAT --to-source 192.168.10.1
        iptables -t nat -A PREROUTING -s ${host} -p tcp -j
REDIRECT --to-port 1211
        iptables -t nat -A PREROUTING -s ${host} -j DROP
done

# Socksify traffic leaving this host:
#iptables -t nat -A OUTPUT -p tcp --syn -j PREROUTING


Markus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32) - GPGrelay v0.959
Comment: GnuPT 2.6.2.1 by EQUIPMENTE.DE

iD8DBQFCpx5q6fSN8IKlpYoRAnQyAJ4g3eIUnX0VHYeVzMPRjbY0TMNiXgCaA2BO
jUQM/oHm58WV9OTozLFXK3g=
=TQhR
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list