API tools faq
paste
Guest User

Untitled

a guest
Nov 24th, 2019
176
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.46 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/bash
  2.  
  3. #################################
  4. # This config sets up anon user to have all traffic firewalled to go through
  5. # tor
  6.  
  7. # I developed this on Xubuntu 18.4 LTS ( adapted from one I was using on Arch )
  8.  
  9. ANON_USER=anon
  10.  
  11. #############################
  12. #
  13. ## IPv6
  14. #
  15.  
  16. echo "Setting up ipv6 rules"
  17. ip6tables --flush
  18.  
  19. # Set default chain policies
  20. ip6tables --policy INPUT DROP
  21. ip6tables --policy FORWARD DROP
  22. ip6tables --policy OUTPUT ACCEPT
  23.  
  24. # Accept on localhost
  25. ip6tables --append INPUT --in-interface lo --jump ACCEPT
  26.  
  27. # Allow established sessions to receive traffic
  28. ip6tables --append INPUT \
  29.         --match conntrack --ctstate ESTABLISHED,RELATED \
  30.     --jump ACCEPT
  31.  
  32.  
  33. # Deny all tcp IPv6 output to $ANON_USER
  34. ip6tables --append OUTPUT \
  35.         ! --out-interface lo \
  36.         --protocol tcp \
  37.             --match owner --uid-owner "$ANON_USER" \
  38.     --jump DROP
  39.  
  40. # Deny all non-tcp IPv6 output to $ANON_USER
  41. ip6tables --append OUTPUT \
  42.         ! --out-interface lo \
  43.         ! --protocol tcp \
  44.             --match owner --uid-owner "$ANON_USER" \
  45.     --jump DROP
  46.  
  47. # accept local connections outbound to localhost if nobody objects
  48. ip6tables --append OUTPUT --out-interface lo --jump ACCEPT
  49.  
  50. ip6tables-save > /etc/iptables/rules.v6
  51.  
  52. #############################
  53. #
  54. ## IPv4
  55. #
  56.  
  57. echo "Setting up ipv4 rules"
  58. iptables --flush
  59.  
  60. # Set default chain policies
  61. iptables --policy INPUT DROP
  62. iptables --policy FORWARD DROP
  63. iptables --policy OUTPUT ACCEPT
  64.  
  65. # Accept on localhost
  66. iptables --append INPUT --in-interface lo --jump ACCEPT
  67.  
  68. # Allow established sessions to receive traffic
  69. iptables --append INPUT \
  70.         --match conntrack --ctstate ESTABLISHED,RELATED \
  71.     --jump ACCEPT
  72.  
  73.  
  74.  
  75. ###################################################
  76. # The following stuff is to set up an anon user firewalled
  77. # to only be able to send traffic via tor. ( haven't installed tor yet )
  78.  
  79. # all traffic send here goes out through tor
  80. TOR_TRANS_PORT=9040
  81. # does dns via tor
  82. TOR_DNS_PORT=5353
  83.  
  84. # The normal dns port where dns queries go
  85. DNS_PORT=53
  86.  
  87.  
  88. echo "ipv4.$ANON_USER"
  89.  
  90. # Accept tcp traffic bound for TOR_TRANS_POR for ANON_USER
  91. iptables --table filter \
  92.     --append OUTPUT \
  93.         --protocol tcp \
  94.             --dport "$TOR_TRANS_PORT" \
  95.             --match owner --uid-owner "$ANON_USER" \
  96.     --jump ACCEPT
  97.  
  98. # Accept udp traffic bound for TOR_DNS_PORT for ANON_USER
  99. iptables --table filter \
  100.     --append OUTPUT \
  101.         --protocol udp \
  102.             --dport "$TOR_DNS_PORT" \
  103.             --match owner --uid-owner "$ANON_USER" \
  104.     --jump ACCEPT
  105.  
  106. # REDIRECT to TOR_TRANS_PORT all tcp bound for nonlocal interface for ANON_USER
  107. iptables --table nat \
  108.     --append OUTPUT \
  109.         ! --out-interface lo \
  110.         --protocol tcp \
  111.             --match owner --uid-owner "$ANON_USER" \
  112.     --jump REDIRECT --to-ports "$TOR_TRANS_PORT"
  113.  
  114. # REDIRECT to TOR_DNS_PORT all udp bound for DNS_PORT on nonlocal interface for ANON_USER
  115. iptables --table nat \
  116.     --append OUTPUT \
  117.         ! --out-interface lo \
  118.         --protocol udp \
  119.             --dport "$DNS_PORT" \
  120.             --match owner --uid-owner "$ANON_USER" \
  121.     --jump REDIRECT --to-ports "$TOR_DNS_PORT"
  122.  
  123. # REJECT all other nontcp traffic on nonlocal interface for ANON_USER
  124. iptables --table filter \
  125.     --append OUTPUT \
  126.         ! --protocol tcp \
  127.             --match owner --uid-owner "$ANON_USER" \
  128.     --jump REJECT
  129.  
  130. # REDIRECT to TOR_DNS_PORT all udp bound for DNS_PORT on local interface for ANON_USER
  131. iptables --table nat \
  132.     --append OUTPUT \
  133.         --out-interface lo \
  134.         --protocol udp \
  135.             --dport "$DNS_PORT" \
  136.             --match owner --uid-owner "$ANON_USER" \
  137.     --jump REDIRECT --to-ports "$TOR_DNS_PORT"
  138.  
  139. # REJECT all other nontcp bound on local interface for ANON_USER
  140. iptables --table filter \
  141.     --append OUTPUT \
  142.         --out-interface lo \
  143.         ! --protocol tcp \
  144.             --match owner --uid-owner "$ANON_USER" \
  145.     --jump REJECT
  146.  
  147.  
  148. #
  149. # This is to deal with a bug in tor where there was leaking
  150. #
  151. # See https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
  152. iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
  153.  iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
  154.  
  155. # accept other local connections outbound to localhost if nobody objects
  156. iptables --append OUTPUT --out-interface lo --jump ACCEPT
  157. # WARNING WARNING WARNING
  158. # Any server listening on the local interface that is running as another user
  159. # may forward traffic sent to it over clearnet!  The systemd dns server does
  160. # this unless ( above ) we redirect local traffic to that server to go
  161. # through tor.  THERE MAY BE OTHER CASES OF THIS hidden in the woodwork..
  162. # I don't THINK there are, but I don't know lots of things.
  163.  
  164. iptables-save > /etc/iptables/rules.v4
  165.  
  166.  
  167. echo "
  168. # PUT THIS IN /etc/tor/torrc and restart tor + remove single # comment chars
  169.  
  170. ## TRANSPARENT PROXY
  171. VirtualAddrNetworkIPv4 10.192.0.0/10
  172. AutomapHostsOnResolve 1
  173. TransPort 9040
  174. DNSPort 5353
  175.  
  176. I tested this with
  177.  
  178. # Check for congradulations you are using tor ( and check again after reboot til you know iptables-persistent is working )
  179.  
  180. lynx http://check.torproject.org
  181.  
  182. # This is the onion address for endchan.  Regular dns doesn't know about onion
  183. # so if this is redirected and you see endchan, your dns is being redirected through tor.
  184.  
  185. lynx  http://enxx3byspwsdo446jujc52ucy2pf5urdbhqw3kbsfhlfjwmbpj5smdad.onion/
  186.  
  187. Though dns works w/lynx browser firefox still needs to be told to do socks5 proxy 127.0.0.1 9050 and to proxy dns through socks5
  188.  
  189. You can still use tor browser under this config if you really care.
  190.  
  191. "
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!