Back
Featured image of post Anonymize TCP traffic on Debian with Tor

Anonymize TCP traffic on Debian with Tor

Using TOR to anonymize TCP traffic on Linux.

Tor is free software for enabling anonymous communication.Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis.

Here is the OS used :

lsb_release -c
Codename:       jessie
Install TOR directly from the packages :
apt-get install tor 
And stop the service to configure it :
service tor stop
Edit the configuration file as follow :
vi /etc/tor/torrc
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 53
Use Tor’s DNSPort on the loopback interface :
echo nameserver 127.0.0.1 /etc/resolv.conf
Then you can start the service :
service tor start
Before starting iptables configuration, we need to know the user id that Tor runs as :
ps -o uid -o "%u %U" -A | grep tor
Result :
106 debian-+ debian-tor
Then we can create our iptables script :
cd /etc/
vi iptables.sh
And add the following :
#!/bin/sh

### set variables
#destinations you don't want routed through Tor
_non_tor=""

#the UID that Tor runs as (varies from system to system)
_tor_uid="106"

#Tor's TransPort
_trans_port="9040"

### flush iptables
iptables -F
iptables -t nat -F

### set iptables *nat
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53

#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/9 127.128.0.0/10; do
   iptables -t nat -A OUTPUT -d $_clearnet -j RETURN
done

#redirect all other output to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port

### set iptables *filter
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow clearnet access for hosts in $_non_tor
for _clearnet in $_non_tor 127.0.0.0/8; do
   iptables -A OUTPUT -d $_clearnet -j ACCEPT
done

#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT
Note : It’s important to change the _tor_uid=“106” to the value found earlier !

Make it executable:

chmod +x iptables.sh
And run it :
./iptables.sh
A quick check :
wget https://check.torproject.org/
cat index.html
And check for the title line :
<h1 class="not">Congratulations. This browser is configured to use Tor.</h1>

Note, to stop using TOR :

sudo echo nameserver 8.8.8.8  /etc/resolv.conf
iptables -F 
service tor stop

comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy