====== Прозрачный прокси ======

===== На персональном компьютере =====


===== Общесетевой =====

<file conf "/etc/tor/torrc">
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 127.0.0.1
TransListenAddress 192.168.1.1
DNSPort 5353
DNSListenAddress 127.0.0.1
DNSListenAddress 192.168.1.1
</file>

<file bash "iptables">
 #!/bin/bash

 IPTABLES=/sbin/iptables
 TOR_UID=`id -u debian-tor`
 NETWORK_USER_ID=1000
 
 # Clear existing rules
 $IPTABLES -F INPUT
 $IPTABLES -F OUTPUT 
 $IPTABLES -t nat -F
 

 ## Transproxy rules for Tor
 $IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040 | exit
 $IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5300 || exit
 

# First rules in OUTPUT chain
#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid
iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP


 # Allow Tor and the network user
 $IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT || exit
 $IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT
 $IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit
 $IPTABLES -A OUTPUT -j DROP || exit
 
 
 # Create INPUT firewall. Allow established connections and transproxy
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit
 $IPTABLES -A INPUT -i lo -j ACCEPT # Transproxy output comes from lo
 $IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT || exit
 $IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid || exit
 $IPTABLES -A INPUT -j DROP || exit


</file>

<file bash "iptables.sh">
#!/bin/sh

### set variables
#destinations you don't want routed through Tor
_non_tor="192.168.1.0/24 192.168.0.0/24"

#the UID that Tor runs as (varies from system to system)
_tor_uid="109"

#Tor's TransPort
_trans_port="9040"

#your internal interface
_int_if="eth0"

### flush iptables
iptables -F
iptables -t nat -F

### set iptables *nat
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53

#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor; do
   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
   iptables -t nat -A PREROUTING -i $_int_if -d $_clearnet -j RETURN
done

#redirect all other pre-routing and output to Tor
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
iptables -t nat -A PREROUTING -i $_int_if -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port

### set iptables *filter
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/8; do
 iptables -A OUTPUT -d $_clearnet -j ACCEPT
done

#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT
</file>

<file bash "arch-iptables">
/etc/iptables/iptables.rules


*nat
:PREROUTING ACCEPT [6:2126]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [17:6239]
:POSTROUTING ACCEPT [6:408]

-A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -o lo -j RETURN
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN
-A OUTPUT -m owner --uid-owner "tor" -j RETURN
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
--ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
--ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
--ipv6 -A INPUT -j REJECT
--ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
--ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
--ipv6 -A OUTPUT -d ::1/8 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner "tor" -j ACCEPT
--ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
--ipv6 -A OUTPUT -j REJECT
COMMIT

</file>

Затем [[dnsmasq|настроить DHCP-сервер]] так, чтобы он выдвал наш прозрачный прокси в качестве единственного DNS-сервера своим клиентам в локальной сети.

====== Ссылки ======


[[https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity|How to Run a Secure Tor Server]]

[[https://www.torproject.org/docs/tor-relay-debian.html.en | Configuring a Tor relay on Debian/Ubuntu]]

[[https://www.torproject.org/docs/tor-doc-unix.html.en | Running the Tor client on Linux/BSD/Unix]]

[[https://globe.torproject.org/ | Globe ]] [[https://atlas.torproject.org/ | Atlas]]

[[https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy | Transparently Routing Traffic Through Tor]]

[[https://wiki.archlinux.org/index.php/Tor | Tor at ArchLinux Wiki ]]