Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/bash
- #################################
- # This config sets up anon user to have all traffic firewalled to go through
- # tor
- # I developed this on Xubuntu 18.4 LTS ( adapted from one I was using on Arch )
- # Edit: added a line to disable all ipv6 non-tcp on local interface for anon user to prevent dns leaks ( my arch box has ipv6 disabled in kernel )
- ANON_USER=anon
- #############################
- #
- ## IPv6
- #
- echo "Setting up ipv6 rules"
- ip6tables --flush
- # Set default chain policies
- ip6tables --policy INPUT DROP
- ip6tables --policy FORWARD DROP
- ip6tables --policy OUTPUT ACCEPT
- # Accept on localhost
- ip6tables --append INPUT --in-interface lo --jump ACCEPT
- # Allow established sessions to receive traffic
- ip6tables --append INPUT \
- --match conntrack --ctstate ESTABLISHED,RELATED \
- --jump ACCEPT
- # Deny all tcp IPv6 output to $ANON_USER
- ip6tables --append OUTPUT \
- ! --out-interface lo \
- --protocol tcp \
- --match owner --uid-owner "$ANON_USER" \
- --jump DROP
- # Deny all non-tcp IPv6 output to $ANON_USER
- ip6tables --append OUTPUT \
- ! --out-interface lo \
- ! --protocol tcp \
- --match owner --uid-owner "$ANON_USER" \
- --jump DROP
- # Drop all ipv6 for anon user on local interface
- ip6tables --append OUTPUT \
- --out-interface lo \
- ! --protocol tcp \
- --match owner --uid-owner "$ANON_USER" \
- --jump DROP
- # accept local connections outbound to localhost if nobody objects
- ip6tables --append OUTPUT --out-interface lo --jump ACCEPT
- ip6tables-save > /etc/iptables/rules.v6
- #############################
- #
- ## IPv4
- #
- echo "Setting up ipv4 rules"
- iptables --flush
- # Set default chain policies
- iptables --policy INPUT DROP
- iptables --policy FORWARD DROP
- iptables --policy OUTPUT ACCEPT
- # Accept on localhost
- iptables --append INPUT --in-interface lo --jump ACCEPT
- # Allow established sessions to receive traffic
- iptables --append INPUT \
- --match conntrack --ctstate ESTABLISHED,RELATED \
- --jump ACCEPT
- ###################################################
- # The following stuff is to set up an anon user firewalled
- # to only be able to send traffic via tor. ( haven't installed tor yet )
- # all traffic send here goes out through tor
- TOR_TRANS_PORT=9040
- # does dns via tor
- TOR_DNS_PORT=5353
- # The normal dns port where dns queries go
- DNS_PORT=53
- echo "ipv4.$ANON_USER"
- # Accept tcp traffic bound for TOR_TRANS_POR for ANON_USER
- iptables --table filter \
- --append OUTPUT \
- --protocol tcp \
- --dport "$TOR_TRANS_PORT" \
- --match owner --uid-owner "$ANON_USER" \
- --jump ACCEPT
- # Accept udp traffic bound for TOR_DNS_PORT for ANON_USER
- iptables --table filter \
- --append OUTPUT \
- --protocol udp \
- --dport "$TOR_DNS_PORT" \
- --match owner --uid-owner "$ANON_USER" \
- --jump ACCEPT
- # REDIRECT to TOR_TRANS_PORT all tcp bound for nonlocal interface for ANON_USER
- iptables --table nat \
- --append OUTPUT \
- ! --out-interface lo \
- --protocol tcp \
- --match owner --uid-owner "$ANON_USER" \
- --jump REDIRECT --to-ports "$TOR_TRANS_PORT"
- # REDIRECT to TOR_DNS_PORT all udp bound for DNS_PORT on nonlocal interface for ANON_USER
- iptables --table nat \
- --append OUTPUT \
- ! --out-interface lo \
- --protocol udp \
- --dport "$DNS_PORT" \
- --match owner --uid-owner "$ANON_USER" \
- --jump REDIRECT --to-ports "$TOR_DNS_PORT"
- # REJECT all other nontcp traffic on nonlocal interface for ANON_USER
- iptables --table filter \
- --append OUTPUT \
- ! --protocol tcp \
- --match owner --uid-owner "$ANON_USER" \
- --jump REJECT
- # REDIRECT to TOR_DNS_PORT all udp bound for DNS_PORT on local interface for ANON_USER
- iptables --table nat \
- --append OUTPUT \
- --out-interface lo \
- --protocol udp \
- --dport "$DNS_PORT" \
- --match owner --uid-owner "$ANON_USER" \
- --jump REDIRECT --to-ports "$TOR_DNS_PORT"
- # REJECT all other nontcp bound on local interface for ANON_USER
- iptables --table filter \
- --append OUTPUT \
- --out-interface lo \
- ! --protocol tcp \
- --match owner --uid-owner "$ANON_USER" \
- --jump REJECT
- #
- # This is to deal with a bug in tor where there was leaking
- #
- # See https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
- iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
- iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
- # accept other local connections outbound to localhost if nobody objects
- iptables --append OUTPUT --out-interface lo --jump ACCEPT
- # WARNING WARNING WARNING
- # Any server listening on the local interface that is running as another user
- # may forward traffic sent to it over clearnet! The systemd dns server does
- # this unless ( above ) we redirect local traffic to that server to go
- # through tor. THERE MAY BE OTHER CASES OF THIS hidden in the woodwork..
- # I don't THINK there are, but I don't know lots of things.
- iptables-save > /etc/iptables/rules.v4
- echo "
- # PUT THIS IN /etc/tor/torrc and restart tor + remove single # comment chars
- ## TRANSPARENT PROXY
- VirtualAddrNetworkIPv4 10.192.0.0/10
- AutomapHostsOnResolve 1
- TransPort 9040
- DNSPort 5353
- I tested this with
- # Check for congradulations you are using tor ( and check again after reboot til you know iptables-persistent is working )
- lynx http://check.torproject.org
- # This is the onion address for endchan. Regular dns doesn't know about onion
- # so if this is redirected and you see endchan, your dns is being redirected through tor.
- 1ynx http://enxx3byspwsdo446jujc52ucy2pf5urdbhqw3kbsfhlfjwmbpj5smdad.onion/
- "
Add Comment
Please, Sign In to add comment