Changes between Version 129 and Version 130 of doc/TransparentProxy


Ignore:
Timestamp:
Oct 20, 2019, 8:32:12 PM (8 months ago)
Author:
NonaSuomy
Comment:

Added requested NFTables example from duclicsic #netfilter freenode. https://trac.torproject.org/projects/tor/ticket/21397

Legend:

Unmodified
Added
Removed
Modified
  • doc/TransparentProxy

    v129 v130  
    106106}}}
    107107
    108 Use the {{{iptables}}} ruleset below as an example. Read and understand the ruleset before applying!
     108Use the {{{nftables}}} or {{{iptables}}} ruleset below as an example. Read and understand the ruleset before applying!
     109
     110NFTables
     111
     112
     113/etc/nftables.conf
     114{{{
     115# Verify your network interface with ip addr
     116define interface = enp1s0
     117# Verify tor uid with id -u tor
     118define uid = 43
     119
     120table ip nat {
     121        set unrouteables {
     122                type ipv4_addr
     123                flags interval
     124                elements = { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 0.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4 }
     125        }
     126
     127        chain POSTROUTING {
     128                type nat hook postrouting priority 100; policy accept;
     129        }
     130
     131        chain OUTPUT {
     132                type nat hook output priority -100; policy accept;
     133                meta l4proto tcp ip daddr 10.192.0.0/10 redirect to :9040
     134                meta l4proto udp ip daddr 127.0.0.1 udp dport 53 redirect to :5353
     135                skuid $uid return
     136                oifname "lo" return
     137                ip daddr @unrouteables return
     138                meta l4proto tcp redirect to :9040
     139        }
     140}
     141table ip filter {
     142        set private {
     143                type ipv4_addr
     144                flags interval
     145                elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8 }
     146        }
     147        chain INPUT {
     148                type filter hook input priority 0; policy drop;
     149                # Allow Local SSH connections
     150                iifname $interface meta l4proto tcp tcp dport 22 ct state new accept
     151                ct state established accept
     152                iifname "lo" accept
     153                ip saddr @private accept
     154        }
     155
     156        chain FORWARD {
     157                type filter hook forward priority 0; policy drop;
     158        }
     159
     160        chain OUTPUT {
     161                type filter hook output priority 0; policy drop;
     162                ct state established accept
     163                oifname $interface meta l4proto tcp skuid $uid ct state new accept
     164                oifname "lo" accept
     165                ip daddr @private accept
     166        }
     167}
     168}}}
     169
     170
     171IPTables
    109172
    110173{{{