Tor is free software for enabling anonymous communication.Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis.
Here is the OS used :
|
1 2 |
> lsb_release -c Codename: jessie |
Install TOR directly from the packages :
|
1 |
> apt-get install tor |
And stop the service to configure it :
|
1 |
> service tor stop |
Edit the configuration file as follow :
|
1 2 3 4 5 |
> vi /etc/tor/torrc VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 DNSPort 53 |
Use Tor’s DNSPort on the loopback interface :
|
1 |
> echo nameserver 127.0.0.1 > /etc/resolv.conf |
Then you can start the service :
|
1 |
> service tor start |
Before starting iptables configuration, we need to know the user id that Tor runs as :
|
1 2 |
> ps -o uid -o "%u %U" -A | grep tor 106 debian-+ debian-tor |
Then we can create our iptables script :
|
1 2 |
> cd /etc/ > vi iptables.sh |
And add the following :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/bin/sh ### set variables #destinations you don't want routed through Tor _non_tor="" #the UID that Tor runs as (varies from system to system) _tor_uid="106" #Tor's TransPort _trans_port="9040" ### flush iptables iptables -F iptables -t nat -F ### set iptables *nat iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 #allow clearnet access for hosts in $_non_tor for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do iptables -t nat -A OUTPUT -d $_clearnet -j RETURN done #redirect all other output to Tor's TransPort iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port ### set iptables *filter iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow clearnet access for hosts in $_non_tor for _clearnet in $_non_tor 127.0.0.0/8; do iptables -A OUTPUT -d $_clearnet -j ACCEPT done #allow only Tor output iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT iptables -A OUTPUT -j REJECT |
Note : It’s important to change the _tor_uid=”106″ to the value found earlier !
Make it executable:
|
1 |
> chmod +x iptables.sh |
And run it :
|
1 |
> ./iptables.sh |
A quick check :
|
1 2 |
> wget https://check.torproject.org/ > cat index.html |
And check for the title line :
|
1 |
<h1 class="not">Congratulations. This browser is configured to use Tor.</h1> |
Note, to stop using TOR :
|
1 2 3 |
> sudo echo nameserver 8.8.8.8 > /etc/resolv.conf > iptables -F > service tor stop |
