Discuss mailing list

[Alex Hanselka <alex AT opennicproject.org>]

This is intense.  Thanks for the info though! I think it would be useful
on a standard linux box. :)

You said there was a "problem" but I'm still confused what it is? Is it
that OpenNIC TLDs would NOT be resolved by Tor and thus subject to
sniffing?

On 9/18/12 8:07 AM, "woodq11 AT gmail.com" <woodq11 AT gmail.com> wrote:

>Spent some more time looking at it. This solution likely won't work for
>you ,as it requires iptables and dnsmasq (but may be able to get others
>Tor
>and OpenNIC access at the same time.):
>
>The relevant bits in /etc/tor/torrc:
>User                   tor
>
>ReachableAddresses     accept *:443, accept *:465, *:993, accept *:995,
>accept *:6697, reject *:*
>
>SocksPort              0
>VirtualAddrNetwork     10.192.0.0/10
>AllowDotExit           1
>TransPort              9040
>TransListenAddress     127.0.0.1
>AutomapHostsOnResolve  1
>DNSPort                        52
>DNSListenAddress       127.0.0.1
>EOF
>
>cat /etc/dnsmasq.conf
>user=tor
>
>no-resolv
>server=/.aero/127.0.0.1#52
>[slew of ICANN TLDs snipped; I was displeased that
>"server=/*/127.0.0.1#52"
>didn't work here]
>server=/.zw/127.0.0.1#52
>
>server=/.onion/127.0.0.1#52
>
>server=/.bbs/<Tier2IPHere>
>[other OpenNIC TLDs snipped]
>server=/.parody/<Tier2IPHere>
>EOF
>
>The following iptables rules are in an init/rc script:
>[...]
>case "$1" in
>  start)
>    NON_TOR="192.168.0.0/24 192.168.1.0/24"
>    TOR_UID="220"
>    TRANS_PORT="9040"
>    INT_IF="wlan0"
>
>    iptables -F
>    iptables -t nat -F
>
>    iptables -t nat -A OUTPUT -o lo -j RETURN
>    iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
>    iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -p udp
>--dport 53
>-j RETURN
>    iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
>    for NET in $NON_TOR; do
>      iptables -t nat -A OUTPUT -d $NET -j RETURN
>      iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
>    done
>    iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports
>$TRANS_PORT
>    iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j
>REDIRECT --
>to-ports 53
>    iptables -t nat -A PREROUTING -i $INT_IF -m owner --uid-owner
>$TOR_UID -p
>udp --dport 53 -j RETURN
>    iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT
>--to-
>ports $TRANS_PORT
>    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>    for NET in $NON_TOR 127.0.0.0/8; do
>      iptables -A OUTPUT -d $NET -j ACCEPT
>    done
>    iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
>    iptables -A OUTPUT -j REJECT
>[...]
>EOF
>
>This does create one problem, the OpenNIC DNS lookups are not run through
>Tor.
>I don't really care about that. The rest, including .onion lookups, are-
>and
>so is all traffic AFAIK.
>
>
>--------
>You are a member of the OpenNIC Discuss list.
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org