forked from ericpaulbishop/iptables_torify
-
Notifications
You must be signed in to change notification settings - Fork 0
/
torify.init
executable file
·113 lines (86 loc) · 2.39 KB
/
torify.init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/bin/bash
### BEGIN INIT INFO
# Provides: torify
# Required-Start: $local_fs $remote_fs $network $named $time
# Required-Stop: $local_fs $remote_fs $network $named $time
# Should-Start: $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Forces Traffic Through Tor
# Description: Forces Traffic Through Tor
### END INIT INFO
tor_user="debian-tor"
dns_port="9061"
trans_port="9051"
tor_virtual_network="10.66.0.0/255.255.0.0"
do_start()
{
for table in nat filter ; do
target="ACCEPT"
if [ "$table" = "nat" ] ; then
target="RETURN"
fi
#initialize output chain
iptables -t $table -F OUTPUT
#ignore already established connections
iptables -t $table -A OUTPUT -m state --state ESTABLISHED -j $target
#don't send tor traffic through tor again
iptables -t $table -A OUTPUT -m owner --uid debian-tor -j $target
#handle dns traffic
match_dns_port="$dns_port"
if [ "$table" = "nat" ] ; then
target="REDIRECT --to-ports $dns_port"
match_dns_port=53
fi
iptables -t $table -A OUTPUT -p udp --dport $match_dns_port -j $target
iptables -t $table -A OUTPUT -p tcp --dport $match_dns_port -j $target
#handle hidden_service traffic
if [ -n "$tor_virtual_network" ] ; then
if [ "$table" = "nat" ] ; then
target="REDIRECT --to-ports $trans_port"
fi
iptables -t $table -A OUTPUT -d $tor_virtual_network -p tcp -j $target
fi
# don't send local/loopback stuff through tor
# all dns requests have already been sent to tor
# so, we don't have to worry about handling that specially
if [ "$table" = "nat" ] ; then
target="RETURN"
fi
iptables -t $table -A OUTPUT -d 127.0.0.1/8 -j $target
iptables -t $table -A OUTPUT -d 192.168.0.0/16 -j $target
iptables -t $table -A OUTPUT -d 172.16.0.0/12 -j $target
iptables -t $table -A OUTPUT -d 10.0.0.0/8 -j $target
#handle tcp traffic
if [ "$table" = "nat" ] ; then
target="REDIRECT --to-ports $trans_port"
fi
iptables -t $table -A OUTPUT -p tcp -j $target
done
#block non-local udp/icmp traffic
iptables -t filter -A OUTPUT -p udp -j REJECT
iptables -t filter -A OUTPUT -p icmp -j REJECT
}
do_stop()
{
for table in nat filter ; do
iptables -t $table -F OUTPUT
done
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
do_start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0