wiki:doc/TorBOX/ShellScript

Version 42 (modified by cypherpunks, 6 years ago) (diff)

more comments

https://trac.torproject.org/projects/tor/wiki/doc/TorBOX

Shell script for the Tor-Gateway

Copy and paste everything in this text-box...

#!/bin/bash
############################################################################
# Homepage: https://trac.torproject.org/projects/tor/wiki/doc/TorBOX
# This script automatically transforms an Ubuntu Server into a Tor-Gateway.
# It works unmodified for VirtualBox, VMware or on a physical system.

# Development version, please test and leave feedback!
# Do not run on a production system. Do not rely on it for anything.
# NO WARRANTY expressed or implied!
# WTFPL FEB 2012

# PREREQUISITES/ASSUMPTIONS
# It is assumed you already prepared the gateway as detailed here:
# https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/HowToInstall#Step3InstallandConfigureTor-Gateway
# Specifically:
# 1) You have installed Ubuntu Server 11.10 (x86 or amd64).
# For later versions you'll most likely only have to 
# change /etc/sources.list accordingly.
# 2) There are two network cards attached to the gateway:
# External: eth0 (with an already working connection to the Internet) 
# Internal: eth1 (solely used for communicating with Tor-Workstations)
# 3) You manually imported the Torproject Repository GPG key
############################################################################

# Exit if there is an error
set -e

# Check if we are root
  if [ "$(id -u)" != "0" ]; then
     echo "This script must be run as root (sudo)"
     exit 1
  fi

# Backup system files
cp -n /etc/localtime /etc/localtime.backup
cp -n /etc/apt/sources.list /etc/apt/sources.list.backup
cp -n /etc/sysctl.conf /etc/sysctl.conf.backup
cp -n /etc/network/interfaces /etc/network/interfaces.backup

# Roll back configurations if the script fails
cleanup() {
set +e
service tor stop
mv /etc/localtime.backup /etc/localtime
mv /etc/apt/sources.list.backup /etc/apt/sources.list
mv /etc/sysctl.conf.backup /etc/sysctl.conf
mv /etc/network/interfaces.backup /etc/network/interfaces
mv /etc/tor/torrc.backup /etc/tor/torrc
rm /etc/torboxfirewall.sh
iptables -F
iptables -t nat -F
iptables -X
iptables -P INPUT ACCEPT
/etc/init.d/networking restart
echo "
Script failed" >&2
exit 1
}
trap "cleanup" ERR INT TERM # (ERR needs /bin/bash)

# Set local time zone to UTC to prevent anonymity set reduction
cp /usr/share/zoneinfo/UTC /etc/localtime

# Add the Torporject repository, only works for Debian and derivatives
# "oneiric" needs to be changed if you do not use Ubuntu Oneiric
# "lsb_release -c" and/or "cat /etc/debian_version" will tell you what version you are using
# Source: https://www.torproject.org/docs/debian.html.en#ubuntu 
echo "deb http://deb.torproject.org/torproject.org oneiric main" >> /etc/apt/sources.list

# Install Tor and remove problematic applications
apt-get update
# Canonical's "phone home"
apt-get --yes remove canonical-census  || true
apt-get --yes remove --purge network-manager network-manager-gnome  || true
apt-get --yes remove ntpdate || true
# make sure required software is installed
apt-get --yes nano iptables dnsutils
apt-get --yes install tor deb.torproject.org-keyring

# Backup torrc
cp -n /etc/tor/torrc /etc/tor/torrc.backup


# We need to disable IPv6 because Tor does not support IPv6 yet and may create leaks. 
# You can verify the setting applied by: cat /proc/sys/net/ipv6/conf/all/disable_ipv6, which should return 1 
# Advanced users only: If you were unwilling or unable to disable IPv6 you would have to create an IPv6 firewall. 
# The firewall supplied by TorBOX does only protect IPv4.
# disable ipv4 Forwarding as per https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
# You can verify the setting applied by: cat /proc/sys/net/ipv4/ip_forward, which should return 0
echo "net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_forward = 0" >> /etc/sysctl.conf

sysctl -p

# Set up internal network interface
# modify these IPs according to your environment
# do not use 192.168.0.1 if it's already used on the local network
# don't forget to modify /etc/tor/torrc accordingly

echo "

pre-up /etc/torboxfirewall.sh

auto eth1
iface eth1 inet static
address 192.168.0.1
       netmask 255.255.255.0
       network 192.168.0.0
       broadcast 192.168.0.255" >> /etc/network/interfaces

# Install firewall script
# WARNING! Don't use single quotes/apostrophes in the firwall comments!!!

echo '#!/bin/sh

# latest firewall updates can always be found here:
# https://trac.torproject.org/projects/tor/wiki/doc/TorBOX

echo "loading firewall..."

# TransPort
TRANS_PORT="9040"

# External interface
EXT_IF="eth0"
# Internal interface
INT_IF="eth1"

# Flush old rules
iptables -F
iptables -t nat -F
iptables -X

# Set secure defaults
iptables -P INPUT DROP
# FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
iptables -P FORWARD DROP
# Since Tor-Gateway is trusted we can allow outgoing traffic from it.
iptables -P OUTPUT ACCEPT

# DROP INVALID
iptables -A INPUT -m state --state INVALID -j DROP

# DROP INVALID SYN PACKETS
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
iptables -A INPUT -f -j DROP

# DROP INCOMING MALFORMED XMAS PACKETS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# DROP INCOMING MALFORMED NULL PACKETS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Traffic on the loopback interface is accepted.
iptables -A INPUT -i lo -j ACCEPT

# Established incoming connections are accepted.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow incoming SSH connections on the external interface
iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT

# Allow TCP to TransPort and DNS traffic to DNSListenAddress
iptables -A INPUT -i $INT_IF -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $INT_IF -p tcp --dport 9040 -j ACCEPT
# Redirect allowed traffic from Tor-Workstations to Tor
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
# optional: replace above rule with a more restrictive one, e.g.:
# iptables -t nat -A PREROUTING -i $INT_IF -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports $TRANS_PORT 

# Reject anything not explicitly allowed above.
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable

echo "firewall loaded"' > /etc/torboxfirewall.sh

chmod +x /etc/torboxfirewall.sh

# Bring up the internal network and start the firewall
/etc/init.d/networking restart

# Enable transparent proxy
# https://www.torproject.org/docs/tor-manual.html.en
# VirtualAddrNetwork: A virtual network to “resolve” addresses for applications that require a resolution of a URI 
# (think an .onion address) to an IP. Explicitly set to this range as per documentation.
# AutomapHostsOnResolve: As per the above “VirtualAddrNetwork”, maps hosts with addresses with no real/knowable IP 
# to a virtual IP in the range as described in the configuration.
# TransListenAddress: The address to “listen” on (e.g. accept incoming connections on) to transparently proxy through Tor.
# TransPort: The TCP port on which to listen for transparent proxy requests.
# DNSListenAddress: The address to bind to, to listen for DNS requests.
# DNSPort: Port to listen for UDP DNS requests and resolve them asynchronously. 

echo "
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 192.168.0.1
DNSPort 53
DNSListenAddress 192.168.0.1

# Uncomment if you install a hidden service on the Tor-Workstation
# Check /var/lib/tor/hidden_service/hostname for your .onion address.
# Backup the keys!

# HiddenServiceDir /var/lib/tor/hidden_service/
# HiddenServicePort 80 192.168.0.2:12345" >> /etc/tor/torrc

# Apply new torrc settings
service tor restart

echo "Tor-Gateway configuration successful." >&2