Is it possible to firewall Tor traffic with a hardware firewall?
Kyle Williams
kyle.kwilliams at gmail.com
Sat Oct 30 11:43:54 UTC 2010
One possible solution would be to run Tor on the firewall/router instead of
the PC/server, and configure the HiddenServicePort to point to the PC that
is running the service you want hidden.
You would also want to make sure that the firewall/router is routing all
traffic from the hidden service PC to Tor's TransPort, which should also be
configured in your torrc. As long as all incoming and outgoing traffic is
routed through the Tor network, the likely hood of having a successful side
channel attack reveal your real IP is slim.
Two network cards would be required to reduce the possibility of side
channel attacks. One for the PC(s) that you want to have running the hidden
service, and the other one connecting to the Internet. I've previously
worked on a project for this type of security, and have a few diagrams which
may or may not be the type of setup you're looking for.
http://januspa.com/docs.html
Here's an example script you would want to run on the firewall/router
(assuming it's running linux). Modify for your security requirements
accordingly.
#!/bin/bash
IPTABLES="/usr/bin/iptables"
EXTIF="eth0"
INTIF="eth1"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT
# REDIRECT DNS REQUEST TO TOR'S DnsPort
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 53 -j REDIRECT --to
53
# REDIRECT HTTP REQUEST TO PRIVOXY/SQUID, WHICH THEN USES TOR (OPTIONAL)
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to
8888
# REDIRECT EVERYTHING ELSE TO TOR'S TransPort
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -j REDIRECT --to 9095
# DROP EVERYTHING ELSE (ICMP, UDP, ETC...)
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j DROP
######################################################################################
Do you think a setup like this would work for your needs?
Best regards,
Kyle
On Sat, Oct 30, 2010 at 3:29 AM, <hikki at safe-mail.net> wrote:
> To make side channel attacks more difficult, especially for those who
> don't use virtual machines to run their hidden services, I was thinking
> about using a hardware firewall between the Tor computer and the Internet
> modem.
> The hardware firewall can do IP based blocking, meaning that you
> can decide what IP address the Tor computer can connect to only.
> Like adding custom entry nodes in the Tor's config file and then put
> those IP addresses in the hardware firewall's rules so you can only
> connect to those, and no other IP.
>
> But there's a problem doing this. Sometimes Tor needs to connect to a
> directory server (if I've understood it right?) to update its directory
> list.
> And it doesn't connect to your exclusive entry node list for that.
> It seems, from the firewall's internal log, that it tries a lot of random
> IP's for that. So eventually your Tor engine will stop working or you
> can't restart it as long as the firewall blocks all outgoing traffic
> except for your entry node's IP addresses.
>
> Is there a way to make this possible, so you can IP filter your Tor
> computer and lock its connections only to your entry nodes and directory
> servers?
> Or is this impossible?
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at torproject.org with
> unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101030/af88c669/attachment.htm>
More information about the tor-talk
mailing list