Anonymize TCP traffic on Debian with Tor

Tor-logo-2011-flat.svg
Tor is free software for enabling anonymous communication.Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis.

Here is the OS used :

> lsb_release -c
Codename:       jessie

Install TOR directly from the packages :

> apt-get install tor 

And stop the service to configure it :

> service tor stop

Edit the configuration file as follow :

> vi /etc/tor/torrc
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53

Use Tor’s DNSPort on the loopback interface :

> echo nameserver 127.0.0.1 > /etc/resolv.conf

Then you can start the service :

> service tor start

Before starting iptables configuration, we need to know the user id that Tor runs as :

> ps -o uid -o "%u %U" -A | grep tor
106 debian-+ debian-tor

Then we can create our iptables script :

> cd /etc/
> vi iptables.sh

And add the following :

#!/bin/sh

### set variables
#destinations you don't want routed through Tor
_non_tor=""

#the UID that Tor runs as (varies from system to system)
_tor_uid="106"

#Tor's TransPort
_trans_port="9040"

### flush iptables
iptables -F
iptables -t nat -F

### set iptables *nat
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53

#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
done

#redirect all other output to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port

### set iptables *filter
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/8; do
   iptables -A OUTPUT -d $_clearnet -j ACCEPT
done

#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT

Note : It’s important to change the _tor_uid=”106″ to the value found earlier !

Make it executable:

> chmod +x iptables.sh

And run it :

> ./iptables.sh

A quick check :

> wget https://check.torproject.org/
> cat index.html

And check for the title line :

Congratulations. This browser is configured to use Tor.

Note, to stop using TOR :

> sudo echo nameserver 8.8.8.8 >  /etc/resolv.conf
> iptables -F 
> service tor stop

Leave a Reply

Your email address will not be published. Required fields are marked *