API tools faq
paste
Guest User

Untitled

a guest
Nov 25th, 2019
161
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.59 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/bash
  2.  
  3. #################################
  4.  
  5. # This config sets up anon user to have all traffic firewalled to go through
  6. # tor
  7.  
  8. # I developed this on Xubuntu 18.4 LTS ( adapted from one I was using on Arch )
  9.  
  10. # Edit: added a line to disable all ipv6 non-tcp on local interface for anon user to prevent dns leaks ( my arch box has ipv6 disabled in kernel )
  11.  
  12. ANON_USER=anon
  13.  
  14. #############################
  15. #
  16. ## IPv6
  17. #
  18.  
  19. echo "Setting up ipv6 rules"
  20. ip6tables --flush
  21.  
  22. # Set default chain policies
  23. ip6tables --policy INPUT DROP
  24. ip6tables --policy FORWARD DROP
  25. ip6tables --policy OUTPUT ACCEPT
  26.  
  27. # Accept on localhost
  28. ip6tables --append INPUT --in-interface lo --jump ACCEPT
  29.  
  30. # Allow established sessions to receive traffic
  31. ip6tables --append INPUT \
  32. --match conntrack --ctstate ESTABLISHED,RELATED \
  33. --jump ACCEPT
  34.  
  35.  
  36. # Deny all tcp IPv6 output to $ANON_USER
  37. ip6tables --append OUTPUT \
  38. ! --out-interface lo \
  39. --protocol tcp \
  40. --match owner --uid-owner "$ANON_USER" \
  41. --jump DROP
  42.  
  43. # Deny all non-tcp IPv6 output to $ANON_USER
  44. ip6tables --append OUTPUT \
  45. ! --out-interface lo \
  46. ! --protocol tcp \
  47. --match owner --uid-owner "$ANON_USER" \
  48. --jump DROP
  49.  
  50. # Drop all ipv6 for anon user on local interface
  51. ip6tables --append OUTPUT \
  52. --out-interface lo \
  53. ! --protocol tcp \
  54. --match owner --uid-owner "$ANON_USER" \
  55. --jump DROP
  56.  
  57. # accept local connections outbound to localhost if nobody objects
  58. ip6tables --append OUTPUT --out-interface lo --jump ACCEPT
  59.  
  60. ip6tables-save > /etc/iptables/rules.v6
  61.  
  62. #############################
  63. #
  64. ## IPv4
  65. #
  66.  
  67. echo "Setting up ipv4 rules"
  68. iptables --flush
  69.  
  70. # Set default chain policies
  71. iptables --policy INPUT DROP
  72. iptables --policy FORWARD DROP
  73. iptables --policy OUTPUT ACCEPT
  74.  
  75. # Accept on localhost
  76. iptables --append INPUT --in-interface lo --jump ACCEPT
  77.  
  78. # Allow established sessions to receive traffic
  79. iptables --append INPUT \
  80. --match conntrack --ctstate ESTABLISHED,RELATED \
  81. --jump ACCEPT
  82.  
  83.  
  84.  
  85. ###################################################
  86. # The following stuff is to set up an anon user firewalled
  87. # to only be able to send traffic via tor. ( haven't installed tor yet )
  88.  
  89. # all traffic send here goes out through tor
  90. TOR_TRANS_PORT=9040
  91. # does dns via tor
  92. TOR_DNS_PORT=5353
  93.  
  94. # The normal dns port where dns queries go
  95. DNS_PORT=53
  96.  
  97.  
  98. echo "ipv4.$ANON_USER"
  99.  
  100. # Accept tcp traffic bound for TOR_TRANS_POR for ANON_USER
  101. iptables --table filter \
  102. --append OUTPUT \
  103. --protocol tcp \
  104. --dport "$TOR_TRANS_PORT" \
  105. --match owner --uid-owner "$ANON_USER" \
  106. --jump ACCEPT
  107.  
  108. # Accept udp traffic bound for TOR_DNS_PORT for ANON_USER
  109. iptables --table filter \
  110. --append OUTPUT \
  111. --protocol udp \
  112. --dport "$TOR_DNS_PORT" \
  113. --match owner --uid-owner "$ANON_USER" \
  114. --jump ACCEPT
  115.  
  116. # REDIRECT to TOR_TRANS_PORT all tcp bound for nonlocal interface for ANON_USER
  117. iptables --table nat \
  118. --append OUTPUT \
  119. ! --out-interface lo \
  120. --protocol tcp \
  121. --match owner --uid-owner "$ANON_USER" \
  122. --jump REDIRECT --to-ports "$TOR_TRANS_PORT"
  123.  
  124. # REDIRECT to TOR_DNS_PORT all udp bound for DNS_PORT on nonlocal interface for ANON_USER
  125. iptables --table nat \
  126. --append OUTPUT \
  127. ! --out-interface lo \
  128. --protocol udp \
  129. --dport "$DNS_PORT" \
  130. --match owner --uid-owner "$ANON_USER" \
  131. --jump REDIRECT --to-ports "$TOR_DNS_PORT"
  132.  
  133. # REJECT all other nontcp traffic on nonlocal interface for ANON_USER
  134. iptables --table filter \
  135. --append OUTPUT \
  136. ! --protocol tcp \
  137. --match owner --uid-owner "$ANON_USER" \
  138. --jump REJECT
  139.  
  140. # REDIRECT to TOR_DNS_PORT all udp bound for DNS_PORT on local interface for ANON_USER
  141. iptables --table nat \
  142. --append OUTPUT \
  143. --out-interface lo \
  144. --protocol udp \
  145. --dport "$DNS_PORT" \
  146. --match owner --uid-owner "$ANON_USER" \
  147. --jump REDIRECT --to-ports "$TOR_DNS_PORT"
  148.  
  149. # REJECT all other nontcp bound on local interface for ANON_USER
  150. iptables --table filter \
  151. --append OUTPUT \
  152. --out-interface lo \
  153. ! --protocol tcp \
  154. --match owner --uid-owner "$ANON_USER" \
  155. --jump REJECT
  156.  
  157.  
  158. #
  159. # This is to deal with a bug in tor where there was leaking
  160. #
  161. # See https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
  162. iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
  163. iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
  164.  
  165. # accept other local connections outbound to localhost if nobody objects
  166. iptables --append OUTPUT --out-interface lo --jump ACCEPT
  167. # WARNING WARNING WARNING
  168. # Any server listening on the local interface that is running as another user
  169. # may forward traffic sent to it over clearnet! The systemd dns server does
  170. # this unless ( above ) we redirect local traffic to that server to go
  171. # through tor. THERE MAY BE OTHER CASES OF THIS hidden in the woodwork..
  172. # I don't THINK there are, but I don't know lots of things.
  173.  
  174. iptables-save > /etc/iptables/rules.v4
  175.  
  176.  
  177. echo "
  178. # PUT THIS IN /etc/tor/torrc and restart tor + remove single # comment chars
  179.  
  180. ## TRANSPARENT PROXY
  181. VirtualAddrNetworkIPv4 10.192.0.0/10
  182. AutomapHostsOnResolve 1
  183. TransPort 9040
  184. DNSPort 5353
  185.  
  186. I tested this with
  187.  
  188. # Check for congradulations you are using tor ( and check again after reboot til you know iptables-persistent is working )
  189.  
  190. lynx http://check.torproject.org
  191.  
  192. # This is the onion address for endchan. Regular dns doesn't know about onion
  193. # so if this is redirected and you see endchan, your dns is being redirected through tor.
  194.  
  195. 1ynx http://enxx3byspwsdo446jujc52ucy2pf5urdbhqw3kbsfhlfjwmbpj5smdad.onion/
  196. "
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!