[guardian-dev] [PATCH] Everything-but-Tor transproxy-all
Nathan of Guardian
nathan at guardianproject.info
Tue May 3 03:27:05 EDT 2011
patch accepted and merged. thx!
On 05/01/2011 09:46 AM, Manuel wrote:
> Hi all,
>
> here's a small patch against the SVN head that adds a quasi-new
> "transproxy all" mode to Orbot transproxying. The current modes are
> transproxying by app and transproxying by port (the fallback option). As
> Nathan mentioned before, the problem with doing a full transproxy for
> ALL outbound TCP communication by simply enabling tor for all apps is
> that there are some special processes that are not listed by the package
> manager. I posted the currently known list in my previous mail, it
> includes things such as the MediaServer, GPS and VPN - all these are not
> being torified in the current Alpha, simply because their UID isn't
> determined.
>
> The approach taken by this patch is probably best outlined with its
> iptables commands and the corresponding comments...
> ---------------------------
> // Set up port redirection
> iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner TOR_UID -m tcp
> --syn -j REDIRECT --to-ports TOR_TRANSPROXY_PORT
>
> // Same for DNS
> iptables -t nat -A OUTPUT -p udp -m owner ! --uid-owner TOR_UID -m udp
> --dport STANDARD_DNS_PORT -j REDIRECT --to-ports TOR_DNS_PORT
>
> // Allow packets to localhost (contains all the port-redirected ones)
> iptables -t filter -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
>
> // Allow loopback
> iptables -t filter -A OUTPUT -p tcp -o lo -j ACCEPT
>
> // Allow everything for Tor
> iptables -t filter -A OUTPUT -m owner --uid-owner TOR_UID -j ACCEPT
>
> //XXX: Comment the following rules for non-debug builds
> iptables -t filter -A OUTPUT -p udp --dport STANDARD_DNS_PORT -j LOG
> --log-prefix='ORBOT_DNSLEAK_PROTECTION' --log-uid
> iptables -t filter -A OUTPUT -p tcp -j LOG
> --log-prefix='ORBOT_TCPLEAK_PROTECTION' --log-uid
>
> // Reject DNS that is not from Tor (order is important - first matched
> rule counts!)
> iptables -t filter -A OUTPUT -p udp --dport STANDARD_DNS_PORT -j REJECT
>
> // Reject all other outbound TCP packets
> iptables -t filter -A OUTPUT -p tcp -j REJECT
> ---------------------------
>
> In short: The NAT setup is nearly the same (but instead of "NAT this
> specific uid", it goes "NAT everything but Tor"), but it rejects all
> untorified outbound TCP and DNS.
>
> Additionally, since we're packaging a new version of iptables and the
> related code was non-functional (the "is old iptables" variable was
> hardcoded to false), I took the liberty of removing the short sections
> of code that contained variations of iptables commands used for iptables
> <=1.3.7 (iirc!). If you'd rather not include that part, just reply and
> I'll post a version without these changes.
>
> I've also attached the log output of the REJECT rules (actually, of the
> LOG ones, but they match the same packets). All the packets in that log
> were rejected packets that would have been transmitted untorified
> otherwise - all of them should belong to existing connections, but
> please scrutinize that log output and do post if you see something
> suspicious. Oh, the last few packets were sent over 3G (interface
> rmnet0) cause I lost WiFi connectivity.
>
> What does everyone think, would you like to include that patch? As for
> testing: I've done mine on CM 7.0.2, if anyone else would like to check
> it out (maybe on a different ROM), please go ahead.
>
> Have a nice Sunday!
>
> Best regards,
>
> __sporkbomb
>
>
>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
>
> You are subscribed as: nathan at guardianproject.info
More information about the Guardian-dev
mailing list