LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-04-2007, 07:34 AM   #1
mistersnorfles
Member
 
Registered: Aug 2007
Distribution: Gentoo 2007.0
Posts: 51

Rep: Reputation: 15
Tor, Squid, Privoxy behind iptables firewall


Hi -

I am looking for help installing Tor, Privoxy, and Squid behind a firewall. Everything is running on one computer, and that computer is not acting as a server for any others.

I was reading an article that was discussing how running squid and tor together destroys anonymity because squid does DNS lookups unencrypted/untorified.

Is there a way to put squid "behind" privoxy, and route all of its DNS stuff through privoxy and tor? I want to use squid as a cache to speed up my connection, but not if it is going to un-anonymize me.

Also I have a simple firewall setup using iptables. Here is my config so far:

Code:
# Generated by iptables-save v1.3.5 on Sat Aug  4 05:24:47 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2433790:138848833]
-A INPUT -s 127.0.0.1 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT 
-A INPUT -j DROP 
COMMIT
# Completed on Sat Aug  4 05:24:47 2007
What other rules do I need to add for iptables to make tor, squid, and privoxy work together? Please feel free to take this as an opportunity to tell me any other rules that it would be a good idea to add for a more secure firewall (but if you make a recommendation, please tell me what it does and why).

Also, what does this mean:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2433790:138848833]
I know this is a lot of questions in one post, but I would really appreciate some help with this. It is all really confusing...

Thanks,
Mr. Snorfles
 
Old 08-04-2007, 11:07 AM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,535

Rep: Reputation: 148Reputation: 148
You can use the following configuration:
user -> squid -> privoxy -> tor

The configuration of tor client and privoxy is standard. To redirect squid to privoxy you need the option cache_peer with never_direct parameter (see: http://www.visolve.com/squid/squid24s1/neighbour.php).
 
Old 08-04-2007, 10:06 PM   #3
mistersnorfles
Member
 
Registered: Aug 2007
Distribution: Gentoo 2007.0
Posts: 51

Original Poster
Rep: Reputation: 15
That link didn't work. I got 404 not found...

Whenever I turn off Tor, I cannot use the internet until I remove the forward-socks4a line from my privoxy config. Is there any way to set this up to be more convenient, so that if I want to turn off Tor, and still have privoxy running, I can do so without having to edit /etc/privoxy/config?

Also, what is tsocks for? What happens if I run tor without it? It installed when Tor was installed. I am worried about it, because when I turn on the forward-socks4a option in my privoxy config, firewall testing sites show that several ports are open on my computer that should not be open. Is Tor allowing traffic to bypass my firewall? When I turn off forward-socks4a it shows that the ports are closed. What can I do to make sure Tor isn't screwing up my firewall?

As far as my firewall config above - all I want to do is allow web browsing, logging into ssh servers, and bittorrent traffic and I want everything else from inside and outside the network to be blocked. Are my rules correct?

Thanks,
Mr. Snorfles
 
Old 08-05-2007, 04:08 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mistersnorfles
That link didn't work. I got 404 not found...
There's a typo at the end of the link (a parenthesis). Here's the fixed link: http://www.visolve.com/squid/squid24s1/neighbour.php

Quote:
Whenever I turn off Tor, I cannot use the internet until I remove the forward-socks4a line from my privoxy config. Is there any way to set this up to be more convenient, so that if I want to turn off Tor, and still have privoxy running, I can do so without having to edit /etc/privoxy/config?
One way would be to run another Privoxy (configured to not forward-socks4a) and then use a proxy-switching extension in Firefox. Another way could be to create a script for turning-off Tor, called say toroff, and place commands in it so that it makes the proper adjustment to your Privoxy config whenever you do a toroff. You'd need a toron too I guess.

Quote:
Also, what is tsocks for? What happens if I run tor without it? It installed when Tor was installed.
It is a SOCKS client. You use it if you need to SOCKS-ify an application (to, for example, make it communicate with Tor). Typically people that are using Privoxy won't need this, as they will connect to Privoxy, not to Tor.

Quote:
I am worried about it, because when I turn on the forward-socks4a option in my privoxy config, firewall testing sites show that several ports are open on my computer that should not be open. Is Tor allowing traffic to bypass my firewall? When I turn off forward-socks4a it shows that the ports are closed. What can I do to make sure Tor isn't screwing up my firewall?
If you go to a firewall test website while using Tor, the website won't know your actual IP address. They will only know the address of your Tor exit node - it's kind of the point. So the scan results represent your exit node (which you have no connection to, or control over), not your actual box.

Quote:
As far as my firewall config above - all I want to do is allow web browsing, logging into ssh servers, and bittorrent traffic and I want everything else from inside and outside the network to be blocked. Are my rules correct?
The rules you posted aen't doing any filtering for outgoing packets. But wait, is this box the router/gateway for your LAN? Or is it a stand-alone PC?

Last edited by win32sux; 08-05-2007 at 04:15 AM.
 
Old 08-05-2007, 04:43 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
If I look at the
Code:
user -> squid -> privoxy -> tor
chain, and considering you're 0) not providing the cache for anyone else and 1) that Squid will only be satisfied with a large RAM cache and 2) that running all services on one box is not good for performance, do ask yourself why you can't be satisified with using only your local browsers cache? Will Squid speed up browsing *that* much? My guess is you won't need Squid.

With Privoxy you can filter page contents extensively but you'll have to add filters and test them yourself to be sure they do what you want them to do and besides there'll be performance drop with loading large rulesets. Now, in the above scenario Privoxy is only used as a conduit to TOR. If you need Privoxy primarily as tunnel and not as filtering proxy, then you could substitute it with Polipo. It doesn't have one percent of Privoxy's filtering caps but it caches page contents and performs way faster.


Quote:
Is Tor allowing traffic to bypass my firewall?
Adding to what my fellow moderator already said: you don't know and you can't check because you don't have any firewall logging and firewall egress policy: your OUTPUT chain policy is set to unrestricted "ACCEPT".


BTW, if you're using on-line anonimity for valid reasons then I hope you realise you will need to cover more aspects than setting up a proxy alone. And I hope I misread you are going to try to do P2P over TOR because nobody will let you (exit policies). And that's good since not only will it be mindblisteringly slow on the client side, but more importantly it clogs up the TOR network for those trying to use TOR for compelling reasons.
 
Old 08-05-2007, 07:39 AM   #6
mistersnorfles
Member
 
Registered: Aug 2007
Distribution: Gentoo 2007.0
Posts: 51

Original Poster
Rep: Reputation: 15
As far as squid not helping speed things up - it will give me more control over the cache than my browser does (as far as choosing what gets cached and how), and I can use it as a DNS cache as well. This should give me a speed improvement, and if not, it will still, give me more control than my browser does... Plus being in control of what is and isn't cached, and how DNS requests are made makes things more secure if set up properly - always a good thing. Plus I'd just like to learn how to set it up for fun

As far as using Tor, I am just using it for anonymity for privacy while I surf - I don't like people seeing what I am looking at, buying, etc. on the internet - I feel like that is only my business. I wouldn't try to use bittorrent with it anyway - Tor is WAY too slow for that. So definitely using it for a compelling reason - online privacy.

I guess I'll just write a script for toggling tor. I was just wondering if there was already a mechanism in place to do so. As far as the script goes, is there any way to edit the Privoxy configuration web page (config.privoxy.org) to have a link to run that script (kind of like how you can toggle privoxy on/off from there)?

--Mr. Snorfles

Last edited by mistersnorfles; 08-05-2007 at 07:45 AM.
 
Old 08-05-2007, 11:55 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by mistersnorfles
As far as using Tor, I am just using it for anonymity for privacy while I surf - I don't like people seeing what I am looking at, buying, etc. on the internet - I feel like that is only my business.
Well, always remember that only the traffic within the Tor network is encrypted. Anyone at the exit nodes and beyond will still be able to see what you are looking at (Tor is not a replacement for HTTPS).

Quote:
I guess I'll just write a script for toggling tor. I was just wondering if there was already a mechanism in place to do so.
I use Torbutton, but I only select between using Privoxy/Tor and my direct connection. In your case, since you want to maintain Squid/Privoxy usage throughout, a script to toggle Tor from Privoxy's config seems like a reasonable option.
 
Old 12-13-2007, 04:12 PM   #8
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Rep: Reputation: 30
Tor v0.2.0.12-alpha as a built in DNS proxy as well as http transparent proxy you can turn on setting
Quote:
DNSPort PORT
If non-zero, Tor listens for UDP DNS requests on this port and resolves them anonymously. (Default: 0).
DNSListenAddress IP[:PORT]
and
Quote:
TransPort PORT
If non-zero, enables transparent proxy support on PORT (by convention, 9040). Requires OS support for
transparent proxies, such as BSDs’ pf or Linux’s IPTables. If you’re planning to use Tor as a transpar‐
ent proxy for a network, you’ll want to examine and change VirtualAddrNetwork from the default setting.
You’ll also want to set the TransListenAddress option for the network you’d like to proxy. (Default: 0).

TransListenAddress IP[:PORT]
Bind to this address to listen for transparent proxy connections. (Default: 127.0.0.1). This is useful
for exporting a transparent proxy server to an entire network.
see the man torrc for this and set your firewall to route all traffic to port 80 and 53 accordingly like this:
Quote:
$IPT -t nat -A PREROUTING -i $IF* -p udp --dport 53 -j DNAT --to 0.0.0.0:5553
$IPT -t nat -A PREROUTING -i $IF* -p tcp --dport 80 -j DNAT --to 0.0.0.0:8880
Than you could use squid as a tor's client so its requestes for dns and http are torified .
Experiment ont this and let me know , ok ????

Last edited by gabsik; 12-13-2007 at 04:29 PM.
 
  


Reply

Tags
cache, caching, configuration, dns, firewall, iptables, privoxy, squid, tor


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid,Tor,Privoxy gabsik Linux - Networking 1 08-07-2006 10:51 PM
question about tor, privoxy & squid paul_mat Linux - Security 6 04-08-2006 09:22 PM
Privoxy Squid Tor gabsik Linux - Networking 2 01-26-2006 09:18 PM
Tor and privoxy gabsik Linux - Networking 1 12-26-2005 01:57 PM
Privoxy and tor z3nith Linux - Software 2 10-01-2005 09:31 PM


All times are GMT -5. The time now is 08:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration