Changes

Page history
Apply conversion script to all *.md files. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Hide whitespace changes
Inline Side-by-side
doc/TransocksifyingTor.md
View page @ a1a4b621
...@@ -4,58 +4,58 @@ ...@@ -4,58 +4,58 @@
## See ./LegalStuff for a full text ## See ./LegalStuff for a full text
[[../|up to Tor]] [[../|up to Tor]]
== Transparently Routing Traffic Through Tor With Transocks == ## Transparently Routing Traffic Through Tor With Transocks
'''This page is obsolete.''' Follow the instructions at [[TheOnionRouter/TransparentProxy|TransparentProxy]] instead. **This page is obsolete.** Follow the instructions at [[TheOnionRouter/TransparentProxy|TransparentProxy]] instead.
This is a quick and dirty method for setting up [[http://transocks.sourceforge.net/|Transocks]] in Debian. The advantage in using Transocks is that all network applications using TCP will have their traffic routed through Tor without any configuration. For programs with native SOCKS support it may be a better idea to have them connect to Tor directly rather than letting Transocks handle the connection transparently. Transocks won't interfere with programs trying to connect to Tor directly, so running it as well can't hurt. This is a quick and dirty method for setting up [[http://transocks.sourceforge.net/|Transocks]] in Debian. The advantage in using Transocks is that all network applications using TCP will have their traffic routed through Tor without any configuration. For programs with native SOCKS support it may be a better idea to have them connect to Tor directly rather than letting Transocks handle the connection transparently. Transocks won't interfere with programs trying to connect to Tor directly, so running it as well can't hurt.
This configuration is designed to completely prevent all non-Tor traffic from leaving a computer. If you want to allow some programs to bypass Tor, you'll need to change the {{{transocks-rules.sh}}} script. Also, modifying {{{transocks-rules.sh}}} will allow Transocks to run on a router, transparently routing an entire network's traffic through Tor. This configuration is designed to completely prevent all non-Tor traffic from leaving a computer. If you want to allow some programs to bypass Tor, you'll need to change the `transocks-rules.sh` script. Also, modifying `transocks-rules.sh` will allow Transocks to run on a router, transparently routing an entire network's traffic through Tor.
'''Table of Contents''' **Table of Contents**
<<TableOfContents>> <<TableOfContents>>
== tor-dns-proxy.py == ## tor-dns-proxy.py
In order to plug [[TheOnionRouter/TorFAQ#SOCKSAndDNS|DNS leaks]], you'll need to install {{{tor-dns-proxy.py}}} from [[http://www.monkey.org/~dugsong/dsocks/|dsocks]]. You can either apply the included patch or just change {{{tor-dns-proxy.py}}} as indicated. In order to plug [[TheOnionRouter/TorFAQ#SOCKSAndDNS|DNS leaks]], you'll need to install `tor-dns-proxy.py` from [[http://www.monkey.org/~dugsong/dsocks/|dsocks]]. You can either apply the included patch or just change `tor-dns-proxy.py` as indicated.
'''/usr/src/tor-dns-proxy.patch''' **/usr/src/tor-dns-proxy.patch**
{{{ ```
--- dsocks/tor-dns-proxy.py 2005-02-28 18:22:26.000000000 +0000 --- dsocks/tor-dns-proxy.py 2005-02-28 18:22:26.000000000 +0000
+++ dsocks/tor-dns-proxy.py 2006-04-21 04:59:08.000000000 +0000 +++ dsocks/tor-dns-proxy.py 2006-04-21 04:59:08.000000000 +0000
@@ -17 +17 @@ @@ -17 +17 @@
-my_socket = ("127.0.0.1", 53) -my_socket = ("127.0.0.1", 53)
+my_socket = ("127.0.0.1", 5353) +my_socket = ("127.0.0.1", 5353)
}}} ```
Commands preceded by {{{$}}} are meant to be run as a regular user, those preceded by {{{#}}} should be run as root. Commands preceded by `$` are meant to be run as a regular user, those preceded by `#` should be run as root.
First install dpkt. First install dpkt.
{{{ ```
# apt-get install python-dev # apt-get install python-dev
$ cd /usr/src $ cd /usr/src
$ wget http://www.monkey.org/~dugsong/dpkt/dpkt-1.4.tar.gz $ wget http://www.monkey.org/~dugsong/dpkt/dpkt-1.4.tar.gz
$ tar xzf dpkt-1.4.tar.gz $ tar xzf dpkt-1.4.tar.gz
$ cd dpkt-1.4 $ cd dpkt-1.4
# ./setup.py install # ./setup.py install
}}} ```
{{{tor-dns-proxy.py}}} is distributed with dsocks. `tor-dns-proxy.py` is distributed with dsocks.
{{{ ```
$ cd /usr/src $ cd /usr/src
$ wget http://www.monkey.org/~dugsong/dsocks/dsocks-1.3.tar.gz $ wget http://www.monkey.org/~dugsong/dsocks/dsocks-1.3.tar.gz
$ tar xzf dsocks-1.3.tar.gz $ tar xzf dsocks-1.3.tar.gz
$ patch -p0 < tor-dns-proxy.patch $ patch -p0 < tor-dns-proxy.patch
# cp dsocks/tor-dns-proxy.py /usr/local/sbin # cp dsocks/tor-dns-proxy.py /usr/local/sbin
}}} ```
== Transocks == ## Transocks
Transocks requires [[http://www.inet.no/dante/|Dante]], a SOCKS library. Transocks requires [[http://www.inet.no/dante/|Dante]], a SOCKS library.
{{{ ```
$ cd /usr/src $ cd /usr/src
$ wget ftp://ftp.inet.no/pub/socks/dante-1.1.19.tar.gz $ wget ftp://ftp.inet.no/pub/socks/dante-1.1.19.tar.gz
$ tar xzf dante-1.1.19.tar.gz $ tar xzf dante-1.1.19.tar.gz
...@@ -64,12 +64,12 @@ $ ./configure && make ...@@ -64,12 +64,12 @@ $ ./configure && make
# make install # make install
# echo '/usr/local/lib' >>/etc/ld.so.conf # echo '/usr/local/lib' >>/etc/ld.so.conf
# ldconfig # ldconfig
}}} ```
The following patch allows Transocks to build with the current Dante, moves the pid file to a writable location, and adds an option to bind to localhost rather than all interfaces. Copy it to {{{/usr/src/transocks.patch}}} The following patch allows Transocks to build with the current Dante, moves the pid file to a writable location, and adds an option to bind to localhost rather than all interfaces. Copy it to `/usr/src/transocks.patch`
'''/usr/src/transocks.patch''' **/usr/src/transocks.patch**
{{{ ```
--- transocks/Makefile 2004-03-15 17:45:41.000000000 +0000 --- transocks/Makefile 2004-03-15 17:45:41.000000000 +0000
+++ transocks/Makefile 2006-04-21 04:28:02.000000000 +0000 +++ transocks/Makefile 2006-04-21 04:28:02.000000000 +0000
@@ -3,3 +3,3 @@ @@ -3,3 +3,3 @@
...@@ -108,11 +108,11 @@ The following patch allows Transocks to build with the current Dante, moves the ...@@ -108,11 +108,11 @@ The following patch allows Transocks to build with the current Dante, moves the
- addr.sin_addr.s_addr = htonl(INADDR_ANY); - addr.sin_addr.s_addr = htonl(INADDR_ANY);
+ addr.sin_addr.s_addr = htonl(isloopback ? INADDR_LOOPBACK : INADDR_ANY); + addr.sin_addr.s_addr = htonl(isloopback ? INADDR_LOOPBACK : INADDR_ANY);
addr.sin_port = htons(bindport); addr.sin_port = htons(bindport);
}}} ```
Now you should compile Transocks. Now you should compile Transocks.
{{{ ```
$ cd /usr/src $ cd /usr/src
$ cvs -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/transocks login $ cvs -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/transocks login
$ cvs -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/transocks co -P transocks $ cvs -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/transocks co -P transocks
...@@ -121,27 +121,26 @@ $ cd transocks ...@@ -121,27 +121,26 @@ $ cd transocks
$ make $ make
# cp transocks /usr/local/sbin # cp transocks /usr/local/sbin
# mkdir -m 0777 /var/run/transocks # mkdir -m 0777 /var/run/transocks
}}} ```
Edit {{{/etc/socks.conf}}} to forward traffic to Tor at 127.0.0.1:9050. Edit `/etc/socks.conf` to forward traffic to Tor at 127.0.0.1:9050.
'''/etc/socks.conf''' **/etc/socks.conf**
{{{ ```
route { route {
from: 0.0.0.0/0 to: 0.0.0.0/0 via: 127.0.0.1 port = 9050 from: 0.0.0.0/0 to: 0.0.0.0/0 via: 127.0.0.1 port = 9050
proxyprotocol: socks_v4 proxyprotocol: socks_v4
method: none method: none
protocol: tcp protocol: tcp
} }
}}} ```
== iptables Configuration == ## iptables Configuration
{{{transocks-rules.sh}}} configures {{{iptables}}} to forward all DNS queries to {{{tor-dns-proxy.py}}} and all outgoing TCP connections to Transocks. Only connections initiated by Tor are allowed to leave the machine. {{{LOCAL_NET}}} may need to be customized or eliminated. This script doesn't handle forwarded connections; it must be modified to use on a router. `transocks-rules.sh` configures `iptables` to forward all DNS queries to `tor-dns-proxy.py` and all outgoing TCP connections to Transocks. Only connections initiated by Tor are allowed to leave the machine. `LOCAL_NET` may need to be customized or eliminated. This script doesn't handle forwarded connections; it must be modified to use on a router.
'''/usr/local/sbin/transocks-rules.sh''' **/usr/local/sbin/transocks-rules.sh**
{{{ ```
#!/bin/sh
LOCAL_NET=192.168.1.0/24 LOCAL_NET=192.168.1.0/24
TOR_UID=`grep '^debian-tor' /etc/passwd | cut -d: -f3` TOR_UID=`grep '^debian-tor' /etc/passwd | cut -d: -f3`
...@@ -194,15 +193,14 @@ TOR_UID=`grep '^debian-tor' /etc/passwd | cut -d: -f3` ...@@ -194,15 +193,14 @@ TOR_UID=`grep '^debian-tor' /etc/passwd | cut -d: -f3`
# Reject and log everything else # Reject and log everything else
/sbin/iptables -A OUTPUT -j LOG /sbin/iptables -A OUTPUT -j LOG
/sbin/iptables -A OUTPUT -j REJECT /sbin/iptables -A OUTPUT -j REJECT
}}} ```
== Bringing it all together == ## Bringing it all together
{{{transocksify.sh}}} is a quick and dirty way (no error checking) to enable and disable {{{tor-dns-proxy.py}}} and Transocks. `transocksify.sh` is a quick and dirty way (no error checking) to enable and disable `tor-dns-proxy.py` and Transocks.
'''/usr/local/sbin/transocksify.sh''' **/usr/local/sbin/transocksify.sh**
{{{ ```
#!/bin/sh
case "$1" in case "$1" in
start) start)
...@@ -237,22 +235,22 @@ case "$1" in ...@@ -237,22 +235,22 @@ case "$1" in
esac esac
exit 0 exit 0
}}} ```
Fix permissions on executables. Fix permissions on executables.
{{{ ```
# chmod 0755 /usr/local/sbin/{tor-dns-proxy.py,transocks,transocks-rules.sh,transocksify.sh} # chmod 0755 /usr/local/sbin/{tor-dns-proxy.py,transocks,transocks-rules.sh,transocksify.sh}
}}} ```
Torify everything: Torify everything:
{{{ ```
# transocksify.sh start # transocksify.sh start
}}} ```
Un-Torify: Un-Torify:
{{{ ```
# transocksify.sh stop # transocksify.sh stop
}}} ```