Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] TOR and OpenNIC

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] TOR and OpenNIC


Chronological Thread 
  • From: <woodq11 AT gmail.com>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] TOR and OpenNIC
  • Date: Tue, 18 Sep 2012 08:07:52 -0500

Spent some more time looking at it. This solution likely won't work for
you ,as it requires iptables and dnsmasq (but may be able to get others Tor
and OpenNIC access at the same time.):

The relevant bits in /etc/tor/torrc:
User tor

ReachableAddresses accept *:443, accept *:465, *:993, accept *:995,
accept *:6697, reject *:*

SocksPort 0
VirtualAddrNetwork 10.192.0.0/10
AllowDotExit 1
TransPort 9040
TransListenAddress 127.0.0.1
AutomapHostsOnResolve 1
DNSPort 52
DNSListenAddress 127.0.0.1
EOF

cat /etc/dnsmasq.conf
user=tor

no-resolv
server=/.aero/127.0.0.1#52
[slew of ICANN TLDs snipped; I was displeased that "server=/*/127.0.0.1#52"
didn't work here]
server=/.zw/127.0.0.1#52

server=/.onion/127.0.0.1#52

server=/.bbs/<Tier2IPHere>
[other OpenNIC TLDs snipped]
server=/.parody/<Tier2IPHere>
EOF

The following iptables rules are in an init/rc script:
[...]
case "$1" in
start)
NON_TOR="192.168.0.0/24 192.168.1.0/24"
TOR_UID="220"
TRANS_PORT="9040"
INT_IF="wlan0"

iptables -F
iptables -t nat -F

iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -p udp --dport 53
-j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
for NET in $NON_TOR; do
iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --
to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -m owner --uid-owner $TOR_UID -p
udp --dport 53 -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-
ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
done
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT
[...]
EOF

This does create one problem, the OpenNIC DNS lookups are not run through Tor.
I don't really care about that. The rest, including .onion lookups, are- and
so is all traffic AFAIK.



Archive powered by MHonArc 2.6.19.

Top of Page