VirtualAddrNetworkIPv4 10.192.0.0/10 AutomapHostsOnResolve 1 TransPort 9040 TransListenAddress 127.0.0.1 TransListenAddress 192.168.1.1 DNSPort 5353 DNSListenAddress 127.0.0.1 DNSListenAddress 192.168.1.1
#!/bin/bash IPTABLES=/sbin/iptables TOR_UID=`id -u debian-tor` NETWORK_USER_ID=1000 # Clear existing rules $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -t nat -F ## Transproxy rules for Tor $IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 | exit $IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5300 || exit # First rules in OUTPUT chain #iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP # Allow Tor and the network user $IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit $IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT $IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit $IPTABLES -A OUTPUT -j DROP || exit # Create INPUT firewall. Allow established connections and transproxy $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit $IPTABLES -A INPUT -i lo -j ACCEPT # Transproxy output comes from lo $IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit $IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit $IPTABLES -A INPUT -j DROP || exit
#!/bin/sh ### set variables #destinations you don't want routed through Tor _non_tor="192.168.1.0/24 192.168.0.0/24" #the UID that Tor runs as (varies from system to system) _tor_uid="109" #Tor's TransPort _trans_port="9040" #your internal interface _int_if="eth0" ### flush iptables iptables -F iptables -t nat -F ### set iptables *nat iptables -t nat -A OUTPUT -o lo -j RETURN iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 #allow clearnet access for hosts in $_non_tor for _clearnet in $_non_tor; do iptables -t nat -A OUTPUT -d $_clearnet -j RETURN iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN done #redirect all other pre-routing and output to Tor iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port ### set iptables *filter iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow clearnet access for hosts in $_non_tor for _clearnet in $_non_tor 127.0.0.0/8; do iptables -A OUTPUT -d $_clearnet -j ACCEPT done #allow only Tor output iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT iptables -A OUTPUT -j REJECT
/etc/iptables/iptables.rules *nat :PREROUTING ACCEPT [6:2126] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [17:6239] :POSTROUTING ACCEPT [6:408] -A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353 -A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 -A OUTPUT -o lo -j RETURN --ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN -A OUTPUT -m owner --uid-owner "tor" -j RETURN -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353 -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset --ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable --ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable --ipv6 -A INPUT -j REJECT --ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT --ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT --ipv6 -A OUTPUT -d ::1/8 -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m owner --uid-owner "tor" -j ACCEPT --ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable --ipv6 -A OUTPUT -j REJECT COMMIT
Затем настроить DHCP-сервер так, чтобы он выдвал наш прозрачный прокси в качестве единственного DNS-сервера своим клиентам в локальной сети.