Thread: Transparent socks proxy (shadowsocks and ssh tunnel)
View Single Post
MastaG is offline MastaG
2014-07-04 , 09:37
Posts: 63 | Thanked: 37 times | Joined on Jul 2010
#13
Thanks nieldk!
I'm a bit new to the Sailfish OS.

So if I understand it correctly:

The dhclient should always set 127.0.0.1 as nameserver (no matter what).

This script:

Code:
#!/bin/sh
#the UID that Tor runs as (varies from system to system)
_tor_uid="0"
#Tor's TransPort
_trans_port="9040"
### flush iptables
iptables -F
iptables -t nat -F
### set iptables *nat
iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
#allow clearnet access for hosts: 127.0.0.0/9 127.128.0.0/10
iptables -t nat -A OUTPUT -d 127.0.0.0/9 -j RETURN
iptables -t nat -A OUTPUT -d 127.128.0.0/10 -j RETURN
#redirect all other output to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $_trans_port
### set iptables *filter
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow clearnet access for hosts: 127.0.0.0/8
iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
#allow only Tor output
iptables -A OUTPUT -m owner --uid-owner $_tor_uid -j ACCEPT
iptables -A OUTPUT -j REJECT
#Security fix
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
Should run after Tor daemon has been started and after every network switch (the systemd part).

Then all outgoing traffic (except for localhost) will be routed trough Tor and I'll be able to resolve .onion names.

Also I'll be flagged as an "extremist" by the NSA according to recent news :P