Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] TOR and OpenNIC

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] TOR and OpenNIC


Chronological Thread 
  • From: Alex Hanselka <alex AT opennicproject.org>
  • To: "discuss AT lists.opennicproject.org" <discuss AT lists.opennicproject.org>
  • Subject: Re: [opennic-discuss] TOR and OpenNIC
  • Date: Tue, 18 Sep 2012 14:32:23 +0000
  • Accept-language: en-US

This is intense. Thanks for the info though! I think it would be useful
on a standard linux box. :)

You said there was a "problem" but I'm still confused what it is? Is it
that OpenNIC TLDs would NOT be resolved by Tor and thus subject to
sniffing?

On 9/18/12 8:07 AM, "woodq11 AT gmail.com" <woodq11 AT gmail.com> wrote:

>Spent some more time looking at it. This solution likely won't work for
>you ,as it requires iptables and dnsmasq (but may be able to get others
>Tor
>and OpenNIC access at the same time.):
>
>The relevant bits in /etc/tor/torrc:
>User tor
>
>ReachableAddresses accept *:443, accept *:465, *:993, accept *:995,
>accept *:6697, reject *:*
>
>SocksPort 0
>VirtualAddrNetwork 10.192.0.0/10
>AllowDotExit 1
>TransPort 9040
>TransListenAddress 127.0.0.1
>AutomapHostsOnResolve 1
>DNSPort 52
>DNSListenAddress 127.0.0.1
>EOF
>
>cat /etc/dnsmasq.conf
>user=tor
>
>no-resolv
>server=/.aero/127.0.0.1#52
>[slew of ICANN TLDs snipped; I was displeased that
>"server=/*/127.0.0.1#52"
>didn't work here]
>server=/.zw/127.0.0.1#52
>
>server=/.onion/127.0.0.1#52
>
>server=/.bbs/<Tier2IPHere>
>[other OpenNIC TLDs snipped]
>server=/.parody/<Tier2IPHere>
>EOF
>
>The following iptables rules are in an init/rc script:
>[...]
>case "$1" in
> start)
> NON_TOR="192.168.0.0/24 192.168.1.0/24"
> TOR_UID="220"
> TRANS_PORT="9040"
> INT_IF="wlan0"
>
> iptables -F
> iptables -t nat -F
>
> iptables -t nat -A OUTPUT -o lo -j RETURN
> iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
> iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -p udp
>--dport 53
>-j RETURN
> iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
> for NET in $NON_TOR; do
> iptables -t nat -A OUTPUT -d $NET -j RETURN
> iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
> done
> iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports
>$TRANS_PORT
> iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j
>REDIRECT --
>to-ports 53
> iptables -t nat -A PREROUTING -i $INT_IF -m owner --uid-owner
>$TOR_UID -p
>udp --dport 53 -j RETURN
> iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT
>--to-
>ports $TRANS_PORT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> for NET in $NON_TOR 127.0.0.0/8; do
> iptables -A OUTPUT -d $NET -j ACCEPT
> done
> iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
> iptables -A OUTPUT -j REJECT
>[...]
>EOF
>
>This does create one problem, the OpenNIC DNS lookups are not run through
>Tor.
>I don't really care about that. The rest, including .onion lookups, are-
>and
>so is all traffic AFAIK.
>
>
>--------
>You are a member of the OpenNIC Discuss list.
>You may unsubscribe by emailing
>discuss-unsubscribe AT lists.opennicproject.org




Archive powered by MHonArc 2.6.19.

Top of Page