?

Log in

No account? Create an account
 
 
sid77
16 July 2007 @ 11:40 pm
I'm a big tor fan and I've just bought a new la fonera social router so, as I mentioned some posts ago, I'm not going to have this nice social router making direct connections via my ip, that's why I tried hard to "jail" it into tor. Before starting a small note: most of this howto has been taken from the offical wiki instructions on how to transparent proxy via tor, so take a look at that link if you need more informations.

If you're interested and want to reproduce this setup, you need a fonera (obviously!), an extra spare ethernet interface and some software:
+ a working installation of tor. A plain tor client will suffice, however take into consideration the possibility to run at least a middleman tor server (rejecting all connections not directed inside the tor network): the more the overall avalaible bandwidth, the better for every users :)
+ a copy of the dns-proxy-tor perl script, only anonimously avalaible via this hidden service: http://p56soo2ibjkx23xo.onion/
+ iptables firewall for linux, however you can adapt the rules for any other firewalling software

So, here we go! First of all install and configure your second ethernet interface, assuming eth0 is connected to internet (either directly or via a router), add another interface (like eth1) setting it up with a static IP address.
Next configure la fonera with a static ip too, in the same subnet of eth1. Use eth1 ip address as both gateway and dns server for your wifi ap.

Now, setup the dns-proxy: the perl script has no dependency except for perl base system, I wrote a simply /etc/init.d/dns-proxy-tor script to start it at system startup;
#!/bin/sh

DAEMON=/usr/local/sbin/dns-proxy-tor
IP=192.168.1.42
CHROOT=/var/chroots/empty
USER=nobody
GROUP=nogroup
PROXYPID=/var/run/dns-proxy-tor.pid

start() {
	echo -n "Starting dns-proxy-tor: "
	$DAEMON -b $IP:53 -t 127.0.0.1:9051 -s 127.0.0.1:9050 \
	-c $CHROOT -u $USER:$GROUP -p $PROXYPID
}

stop() {
        echo -n "Stopping dns-proxy-tor: "
        pid=`cat $PROXYPID 2>/dev/null` || true

        if test ! -f $PROXYPID -o -z "$pid"; then
                echo "not running (there is no $PROXYPID)."
                exit 0
        fi

	kill -15 $pid &> /dev/null
	rm -f $PROXYPID
	echo "done"
}

restart() {
  stop
  sleep 1
  start
}

case "$1" in
'start')
  start
  ;;
'stop')
  stop
  ;;
'restart')
  restart
  ;;
*)
  echo "usage $0 start|stop|restart"
  ;;
esac

where 192.168.1.1 is your eth1 ip address and /var/chroots/empty is an empty folder used by dns-proxy-tor as chroot jail.

Next, setup tor for listening for clients request, edit your torrc and add those lines:
VirtualAddrNetwork 10.192.0.0/10
TransPort 9040
TransListenAddress 192.168.1.1
#TrackHostExits .fon.com

all of these lines are well documented in the tor documentation, first one is used to instruct tor to accept connections from external address and not only from localhost. Second one defines tor transparent proxying port and third one define on which ip should tor listen for external incoming connections. Last one is optional, setting it will have the effect to route all connections made in the default time lap of 30 minutes to the specified site or domain, via the same exit node, in order to better support some sites which use ip-based authentication. I don't think it's strictly needed as it can turn out to be a real PITA logging onto fon in the unlucky event of receiving a slow exit node.

And now the final part: glueing everything together using iptables. Those are just core rules, feel free to expand them to suite your needs, convention used here call internet connected eth0 as $EXT and fon connected eth1 as $INT, while $TRANS_PORT is tor transparent proxy port, defined early. Again I wrap everything up in a /etc/init.d/firewall script, fell free to suit it to your needs:
#!/bin/sh

IPT="/sbin/iptables"
EXT="eth0"
EXTIP="192.168.0.42"
INT="eth1"
TRANS_PORT="9040"
NTP_SERVERS="ntp.kamino.fr ntp2.altarisoluzione.com ntp2.sandvika.net \
ntp1.tpg.com.au ntp.xland.ru ntp.ourconcord.net ntp0.sjbcom.com \
ntp1.belbone.be ntp2c.mcc.ac.uk time.flygplats.net \
ticker.cis.sac.accd.edu ntp.vik.bg ntp-1.cso.uiuc.edu reva.sixgirls.org \
ntp1.linuxmedialabs.com blade.avnf.com luie.udel.edu"
RADIUS_SERVERS="radius01.fon.com radius02.fon.com"
HEARTBEAT_SERVERS="download.fon.com"

start() {
  echo "Bringing up the firewall"

  echo 1 > /proc/sys/net/ipv4/ip_forward

  # Cleanup
  $IPT -t nat -F
  $IPT -F
  $IPT -P FORWARD DROP

  # Ensure local dns
  $IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j REDIRECT --to-ports 53

  # Transparent proxy tcp connections through tor
  $IPT -t nat -A PREROUTING -i $INT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT

  # Forwarding ntp (udp:123) and radius (udp:1812)
  $IPT -A FORWARD -i $EXT -o $INT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

  for DEST in $NTP_SERVERS; do
    $IPT -A FORWARD -i $INT -o $EXT -p udp -d $DEST --dport 123 -j ACCEPT
  done

  for DEST in $RADIUS_SERVERS; do
    $IPT -A FORWARD -i $INT -o $EXT -p udp -d $DEST --dport 1812 -j ACCEPT
  done

  # Forwarding La Fonera heartbeat service (udp:1937, tcp:1937 is proxied)
  #for DEST in $HEARTBEAT_SERVERS; do
  #  $IPT -A FORWARD -i $INT -o $EXT -p udp -d $DEST --dport 1937 -j ACCEPT
  #done

  $IPT -t nat -A POSTROUTING -o $EXT -p udp -j SNAT --to $EXTIP
}

stop() {
  echo "Bringing down the firewall"

  echo 0 > /proc/sys/net/ipv4/ip_forward

  # Cleanup
  $IPT -t nat -F
  $IPT -F
  $IPT -P FORWARD ACCEPT
}

restart() {
  stop
  sleep 1
  start
}

case "$1" in
'start')
  start
  ;;
'stop')
  stop
  ;;
'restart')
  restart
  ;;
*)
  echo "usage $0 start|stop|restart"
  ;;
esac

The ntp and radius servers lists have been taken from the fonera config files.

And that's all! Please consider that this setup doesn't assure you strong anonymity as udp radius connections are still directly natted (not to mention that tor doesn't do udp) however dns requests and tcp connections are routed inside the tor network without further user work.
Unfortunately looks like it's still not possible to use a default configured privoxy, as it breaks the fon.com authentication mechanism. Maybe I could try whitelisting that domain :)

For now, enjoy your transparent torified fonera.

--

Changelog
20080110: Fourth revision, commented out the udp heartbeat service forwarding. It should be tcp only.
20070904: Third revision, added LaFonera heartbeat to forwarded services
20070805: Second revision, some major cleanup and init scripts added
20070716: First revision
Tags: , ,
 
 
Current Mood: geekygeeky