wiki:doc/TransocksifyingTor

#pragma section-numbers on ## Copyright (C) 2006 nostars ## Distributed under the MIT license, ## See ./LegalStuff for a full text up to Tor?

Transparently Routing Traffic Through Tor With Transocks

This page is obsolete. Follow the instructions at TransparentProxy? instead.

This is a quick and dirty method for setting up Transocks in Debian. The advantage in using Transocks is that all network applications using TCP will have their traffic routed through Tor without any configuration. For programs with native SOCKS support it may be a better idea to have them connect to Tor directly rather than letting Transocks handle the connection transparently. Transocks won't interfere with programs trying to connect to Tor directly, so running it as well can't hurt.

This configuration is designed to completely prevent all non-Tor traffic from leaving a computer. If you want to allow some programs to bypass Tor, you'll need to change the transocks-rules.sh script. Also, modifying transocks-rules.sh will allow Transocks to run on a router, transparently routing an entire network's traffic through Tor.

Table of Contents <<TableOfContents>>

tor-dns-proxy.py

In order to plug DNS leaks?, you'll need to install tor-dns-proxy.py from dsocks. You can either apply the included patch or just change tor-dns-proxy.py as indicated.

/usr/src/tor-dns-proxy.patch

--- dsocks/tor-dns-proxy.py	2005-02-28 18:22:26.000000000 +0000
+++ dsocks/tor-dns-proxy.py	2006-04-21 04:59:08.000000000 +0000
@@ -17 +17 @@
-my_socket = ("127.0.0.1", 53)
+my_socket = ("127.0.0.1", 5353)

Commands preceded by $ are meant to be run as a regular user, those preceded by # should be run as root.

First install dpkt.

# apt-get install python-dev
$ cd /usr/src
$ wget http://www.monkey.org/~dugsong/dpkt/dpkt-1.4.tar.gz
$ tar xzf dpkt-1.4.tar.gz
$ cd dpkt-1.4
# ./setup.py install

tor-dns-proxy.py is distributed with dsocks.

$ cd /usr/src
$ wget http://www.monkey.org/~dugsong/dsocks/dsocks-1.3.tar.gz
$ tar xzf dsocks-1.3.tar.gz
$ patch -p0 < tor-dns-proxy.patch
# cp dsocks/tor-dns-proxy.py /usr/local/sbin

Transocks

Transocks requires Dante, a SOCKS library.

$ cd /usr/src
$ wget ftp://ftp.inet.no/pub/socks/dante-1.1.19.tar.gz
$ tar xzf dante-1.1.19.tar.gz
$ cd dante-1.1.19
$ ./configure && make
# make install
# echo '/usr/local/lib' >>/etc/ld.so.conf
# ldconfig

The following patch allows Transocks to build with the current Dante, moves the pid file to a writable location, and adds an option to bind to localhost rather than all interfaces. Copy it to /usr/src/transocks.patch

/usr/src/transocks.patch

--- transocks/Makefile	2004-03-15 17:45:41.000000000 +0000
+++ transocks/Makefile	2006-04-21 04:28:02.000000000 +0000
@@ -3,3 +3,3 @@
 SOCKS_LIBDIR = /usr/local/lib
-SOCKS_LIB = -lsocksd  # Dante SOCKS library
+SOCKS_LIB = -ldsocks  # Dante SOCKS library
 CFLAGS = -g -O2 -DSOCKS -I$(SOCKS_INCDIR)
--- transocks/transocks.c	2004-03-18 23:34:43.000000000 +0000
+++ transocks/transocks.c	2006-04-21 07:22:44.000000000 +0000
@@ -72,2 +72,3 @@
 int isdaemon = 1;
+int isloopback = 0;
 short bindport = 1211;
@@ -76,3 +77,3 @@
 	FILE * fh;
-	fh = fopen("/var/run/transocks.pid", "w");
+	fh = fopen("/var/run/transocks/transocks.pid", "w");
 	assert(fh);
@@ -93,3 +94,3 @@
 
-	while ((c = getopt(argc, argv, "fp:")) != EOF) {
+	while ((c = getopt(argc, argv, "flp:")) != EOF) {
 		switch(c) {
@@ -106,5 +107,8 @@
 		case '?':
-			fprintf(stderr, "Usage: %s [-f] [-p port]\n", argv[0]);
+			fprintf(stderr, "Usage: %s [-f] [-l] [-p port]\n", argv[0]);
 			exit(1);
 			break;
+		case 'l':
+			isloopback = 1;
+			break;
 		}
@@ -137,3 +141,3 @@
 	addr.sin_family = AF_INET;
-	addr.sin_addr.s_addr = htonl(INADDR_ANY);
+	addr.sin_addr.s_addr = htonl(isloopback ? INADDR_LOOPBACK : INADDR_ANY);
 	addr.sin_port = htons(bindport);

Now you should compile Transocks.

$ cd /usr/src
$ cvs -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/transocks login
$ cvs -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/transocks co -P transocks
$ patch -p0 < transocks.patch
$ cd transocks
$ make
# cp transocks /usr/local/sbin
# mkdir -m 0777 /var/run/transocks

Edit /etc/socks.conf to forward traffic to Tor at 127.0.0.1:9050.

/etc/socks.conf

route {
    from: 0.0.0.0/0  to: 0.0.0.0/0  via: 127.0.0.1 port = 9050
    proxyprotocol: socks_v4
    method: none
    protocol: tcp
}

iptables Configuration

transocks-rules.sh configures iptables to forward all DNS queries to tor-dns-proxy.py and all outgoing TCP connections to Transocks. Only connections initiated by Tor are allowed to leave the machine. LOCAL_NET may need to be customized or eliminated. This script doesn't handle forwarded connections; it must be modified to use on a router.

/usr/local/sbin/transocks-rules.sh

#!/bin/sh

LOCAL_NET=192.168.1.0/24
TOR_UID=`grep '^debian-tor' /etc/passwd | cut -d: -f3`

# Flush tables
/sbin/iptables -F
/sbin/iptables -t nat -F

# Set policies
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -t nat -P OUTPUT ACCEPT

########################################
# nat table rules

# Redirect dns to tor-dns-proxy.py
/sbin/iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353

# Skip loopback
/sbin/iptables -t nat -A OUTPUT -o lo -j RETURN
/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1 -j RETURN

# Skip local net
/sbin/iptables -t nat -A OUTPUT -d $LOCAL_NET -j RETURN

# Skip tor
/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN

# Redirect remaining tcp connections to transocks
/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination 127.0.0.1:1211

########################################
# filter table rules

# Keep state
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Pass loopback
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

# Pass local net
/sbin/iptables -A OUTPUT -d $LOCAL_NET -j ACCEPT

# Pass tor
/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT

# Reject and log everything else
/sbin/iptables -A OUTPUT -j LOG
/sbin/iptables -A OUTPUT -j REJECT

Bringing it all together

transocksify.sh is a quick and dirty way (no error checking) to enable and disable tor-dns-proxy.py and Transocks.

/usr/local/sbin/transocksify.sh

#!/bin/sh

case "$1" in
  start)
    /sbin/start-stop-daemon --start --quiet --background --make-pidfile \
      --chuid nobody \
      --pidfile /var/run/tor-dns-proxy.pid \
      --exec /usr/local/sbin/tor-dns-proxy.py
    /sbin/start-stop-daemon --start --quiet \
      --chuid nobody \
      --pidfile /var/run/transocks/transocks.pid \
      --exec /usr/local/sbin/transocks -- -l
    /usr/local/sbin/transocks-rules.sh
    cp /etc/resolv.conf /etc/resolv.conf.old
    echo 'nameserver 127.0.0.1' >/etc/resolv.conf
    ;;
  stop)
    /sbin/start-stop-daemon --stop --signal INT --quiet \
      --pidfile /var/run/transocks/transocks.pid \
      --exec /usr/local/sbin/transocks
    /sbin/start-stop-daemon --stop --signal INT --quiet \
      --pidfile /var/run/tor-dns-proxy.pid
    /sbin/iptables -F
    /sbin/iptables -t nat -F
    /sbin/iptables -P OUTPUT ACCEPT
    /sbin/iptables -P FORWARD ACCEPT
    mv /etc/resolv.conf.old /etc/resolv.conf
    ;;
  *)
    echo "Usage: $0 {start|stop}" >&2
    exit 1
    ;;
esac

exit 0

Fix permissions on executables.

# chmod 0755 /usr/local/sbin/{tor-dns-proxy.py,transocks,transocks-rules.sh,transocksify.sh}

Torify everything:

# transocksify.sh start

Un-Torify:

# transocksify.sh stop
Last modified 6 years ago Last modified on Jun 11, 2011, 3:21:42 PM