LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Tor, Squid, Privoxy behind iptables firewall (http://www.linuxquestions.org/questions/linux-security-4/tor-squid-privoxy-behind-iptables-firewall-574689/)

mistersnorfles 08-04-2007 07:34 AM

Tor, Squid, Privoxy behind iptables firewall
 
Hi -

I am looking for help installing Tor, Privoxy, and Squid behind a firewall. Everything is running on one computer, and that computer is not acting as a server for any others.

I was reading an article that was discussing how running squid and tor together destroys anonymity because squid does DNS lookups unencrypted/untorified.

Is there a way to put squid "behind" privoxy, and route all of its DNS stuff through privoxy and tor? I want to use squid as a cache to speed up my connection, but not if it is going to un-anonymize me.

Also I have a simple firewall setup using iptables. Here is my config so far:

Code:

# Generated by iptables-save v1.3.5 on Sat Aug  4 05:24:47 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2433790:138848833]
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Aug  4 05:24:47 2007

What other rules do I need to add for iptables to make tor, squid, and privoxy work together? Please feel free to take this as an opportunity to tell me any other rules that it would be a good idea to add for a more secure firewall (but if you make a recommendation, please tell me what it does and why).

Also, what does this mean:
Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2433790:138848833]

I know this is a lot of questions in one post, but I would really appreciate some help with this. It is all really confusing...

Thanks,
Mr. Snorfles

Mara 08-04-2007 11:07 AM

You can use the following configuration:
user -> squid -> privoxy -> tor

The configuration of tor client and privoxy is standard. To redirect squid to privoxy you need the option cache_peer with never_direct parameter (see: http://www.visolve.com/squid/squid24s1/neighbour.php).

mistersnorfles 08-04-2007 10:06 PM

That link didn't work. I got 404 not found...

Whenever I turn off Tor, I cannot use the internet until I remove the forward-socks4a line from my privoxy config. Is there any way to set this up to be more convenient, so that if I want to turn off Tor, and still have privoxy running, I can do so without having to edit /etc/privoxy/config?

Also, what is tsocks for? What happens if I run tor without it? It installed when Tor was installed. I am worried about it, because when I turn on the forward-socks4a option in my privoxy config, firewall testing sites show that several ports are open on my computer that should not be open. Is Tor allowing traffic to bypass my firewall? When I turn off forward-socks4a it shows that the ports are closed. What can I do to make sure Tor isn't screwing up my firewall?

As far as my firewall config above - all I want to do is allow web browsing, logging into ssh servers, and bittorrent traffic and I want everything else from inside and outside the network to be blocked. Are my rules correct?

Thanks,
Mr. Snorfles

win32sux 08-05-2007 04:08 AM

Quote:

Originally Posted by mistersnorfles
That link didn't work. I got 404 not found...

There's a typo at the end of the link (a parenthesis). Here's the fixed link: http://www.visolve.com/squid/squid24s1/neighbour.php

Quote:

Whenever I turn off Tor, I cannot use the internet until I remove the forward-socks4a line from my privoxy config. Is there any way to set this up to be more convenient, so that if I want to turn off Tor, and still have privoxy running, I can do so without having to edit /etc/privoxy/config?
One way would be to run another Privoxy (configured to not forward-socks4a) and then use a proxy-switching extension in Firefox. Another way could be to create a script for turning-off Tor, called say toroff, and place commands in it so that it makes the proper adjustment to your Privoxy config whenever you do a toroff. You'd need a toron too I guess.

Quote:

Also, what is tsocks for? What happens if I run tor without it? It installed when Tor was installed.
It is a SOCKS client. You use it if you need to SOCKS-ify an application (to, for example, make it communicate with Tor). Typically people that are using Privoxy won't need this, as they will connect to Privoxy, not to Tor.

Quote:

I am worried about it, because when I turn on the forward-socks4a option in my privoxy config, firewall testing sites show that several ports are open on my computer that should not be open. Is Tor allowing traffic to bypass my firewall? When I turn off forward-socks4a it shows that the ports are closed. What can I do to make sure Tor isn't screwing up my firewall?
If you go to a firewall test website while using Tor, the website won't know your actual IP address. They will only know the address of your Tor exit node - it's kind of the point. So the scan results represent your exit node (which you have no connection to, or control over), not your actual box.

Quote:

As far as my firewall config above - all I want to do is allow web browsing, logging into ssh servers, and bittorrent traffic and I want everything else from inside and outside the network to be blocked. Are my rules correct?
The rules you posted aen't doing any filtering for outgoing packets. But wait, is this box the router/gateway for your LAN? Or is it a stand-alone PC?

unSpawn 08-05-2007 04:43 AM

If I look at the
Code:

user -> squid -> privoxy -> tor
chain, and considering you're 0) not providing the cache for anyone else and 1) that Squid will only be satisfied with a large RAM cache and 2) that running all services on one box is not good for performance, do ask yourself why you can't be satisified with using only your local browsers cache? Will Squid speed up browsing *that* much? My guess is you won't need Squid.

With Privoxy you can filter page contents extensively but you'll have to add filters and test them yourself to be sure they do what you want them to do and besides there'll be performance drop with loading large rulesets. Now, in the above scenario Privoxy is only used as a conduit to TOR. If you need Privoxy primarily as tunnel and not as filtering proxy, then you could substitute it with Polipo. It doesn't have one percent of Privoxy's filtering caps but it caches page contents and performs way faster.


Quote:

Is Tor allowing traffic to bypass my firewall?
Adding to what my fellow moderator already said: you don't know and you can't check because you don't have any firewall logging and firewall egress policy: your OUTPUT chain policy is set to unrestricted "ACCEPT".


BTW, if you're using on-line anonimity for valid reasons then I hope you realise you will need to cover more aspects than setting up a proxy alone. And I hope I misread you are going to try to do P2P over TOR because nobody will let you (exit policies). And that's good since not only will it be mindblisteringly slow on the client side, but more importantly it clogs up the TOR network for those trying to use TOR for compelling reasons.

mistersnorfles 08-05-2007 07:39 AM

As far as squid not helping speed things up - it will give me more control over the cache than my browser does (as far as choosing what gets cached and how), and I can use it as a DNS cache as well. This should give me a speed improvement, and if not, it will still, give me more control than my browser does... Plus being in control of what is and isn't cached, and how DNS requests are made makes things more secure if set up properly - always a good thing. Plus I'd just like to learn how to set it up for fun ;)

As far as using Tor, I am just using it for anonymity for privacy while I surf - I don't like people seeing what I am looking at, buying, etc. on the internet - I feel like that is only my business. I wouldn't try to use bittorrent with it anyway - Tor is WAY too slow for that. So definitely using it for a compelling reason - online privacy.

I guess I'll just write a script for toggling tor. I was just wondering if there was already a mechanism in place to do so. As far as the script goes, is there any way to edit the Privoxy configuration web page (config.privoxy.org) to have a link to run that script (kind of like how you can toggle privoxy on/off from there)?

--Mr. Snorfles

win32sux 08-05-2007 11:55 AM

Quote:

Originally Posted by mistersnorfles
As far as using Tor, I am just using it for anonymity for privacy while I surf - I don't like people seeing what I am looking at, buying, etc. on the internet - I feel like that is only my business.

Well, always remember that only the traffic within the Tor network is encrypted. Anyone at the exit nodes and beyond will still be able to see what you are looking at (Tor is not a replacement for HTTPS).

Quote:

I guess I'll just write a script for toggling tor. I was just wondering if there was already a mechanism in place to do so.
I use Torbutton, but I only select between using Privoxy/Tor and my direct connection. In your case, since you want to maintain Squid/Privoxy usage throughout, a script to toggle Tor from Privoxy's config seems like a reasonable option.

gabsik 12-13-2007 04:12 PM

Tor v0.2.0.12-alpha as a built in DNS proxy as well as http transparent proxy you can turn on setting
Quote:

DNSPort PORT
If non-zero, Tor listens for UDP DNS requests on this port and resolves them anonymously. (Default: 0).
DNSListenAddress IP[:PORT]
and
Quote:

TransPort PORT
If non-zero, enables transparent proxy support on PORT (by convention, 9040). Requires OS support for
transparent proxies, such as BSDs’ pf or Linux’s IPTables. If you’re planning to use Tor as a transpar‐
ent proxy for a network, you’ll want to examine and change VirtualAddrNetwork from the default setting.
You’ll also want to set the TransListenAddress option for the network you’d like to proxy. (Default: 0).

TransListenAddress IP[:PORT]
Bind to this address to listen for transparent proxy connections. (Default: 127.0.0.1). This is useful
for exporting a transparent proxy server to an entire network.
see the man torrc for this and set your firewall to route all traffic to port 80 and 53 accordingly like this:
Quote:

$IPT -t nat -A PREROUTING -i $IF* -p udp --dport 53 -j DNAT --to 0.0.0.0:5553
$IPT -t nat -A PREROUTING -i $IF* -p tcp --dport 80 -j DNAT --to 0.0.0.0:8880
Than you could use squid as a tor's client so its requestes for dns and http are torified .
Experiment ont this and let me know , ok ????


All times are GMT -5. The time now is 02:20 AM.