diff --git a/anonymizer.sh b/anonymizer.sh new file mode 100644 index 0000000..532f12f --- /dev/null +++ b/anonymizer.sh @@ -0,0 +1,163 @@ +#!/bin/bash + +# NAME: anonymizer.sh # +# DESCRIPTION: Transparently routing traffic through Tor # +# VERSION: 0.1.0 # +# AUTHOR: netico # +# ---------------------------------------------------------------------------- # +# This code is free software; you can redistribute it and/or modify it under # +# the terms of the GNU General Public License version 3 only, as published by # +# the Free Software Foundation. # +# This code is distributed in the hope that it will be useful, but WITHOUT ANY # +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # +# FOR A PARTICULAR PURPOSE. # + +# DOCUMENTATION -------------------------------------------------------------- # +# ---------------------------------------------------------------------------- # +# https://www.torproject.org/ # +# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy # +# https://www.netfilter.org/projects/iptables/index.html # +# # +# To enable the transparent proxy and the DNS proxy add the following lines to # +# /etc/tor/torrc: # +# # +# VirtualAddrNetworkIPv4 10.192.0.0/10 # +# AutomapHostsOnResolve 1 # +# TransPort 9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr \ # +# IsolateDestPort # +# DNSPort 5353 # +# # +# Configure your system's DNS resolver to use Tor's DNSPort on the loopback # +# interface by modifying /etc/resolv.conf: # +# # +# nameserver 127.0.0.1 # + +# CONFIGURATION -------------------------------------------------------------- # +# ---------------------------------------------------------------------------- # +INTERFACE=enp7s0 +TOR_UID=112 +TOR_PORT=9040 +TOR_DNS_PORT=5353 +VIRTUAL_ADDRESS="10.192.0.0/10" +IPTABLES=$(which iptables) + +# FUNCTIONS ------------------------------------------------------------------ # +# ---------------------------------------------------------------------------- # +reset_iptables () { + echo "Resetting iptables rules" + + # Reset policies + $IPTABLES -P INPUT ACCEPT + $IPTABLES -P FORWARD ACCEPT + $IPTABLES -P OUTPUT ACCEPT + $IPTABLES -t nat -P PREROUTING ACCEPT + $IPTABLES -t nat -P POSTROUTING ACCEPT + $IPTABLES -t nat -P OUTPUT ACCEPT + $IPTABLES -t mangle -P PREROUTING ACCEPT + $IPTABLES -t mangle -P OUTPUT ACCEPT + + # Flush rules and erase non default chains + $IPTABLES -F + $IPTABLES -X + $IPTABLES -t nat -F + $IPTABLES -t nat -X + $IPTABLES -t mangle -F + $IPTABLES -t mangle -X +} + +transparent_proxy () { + echo "Adding iptables rules for interface $INTERFACE" + + # *nat OUTPUT (local redirection) + # .onion addresses + $IPTABLES -t nat -A OUTPUT -d $VIRTUAL_ADDRESS -p tcp -m tcp \ + --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $TOR_PORT + + # DNS requests to Tor + $IPTABLES -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp \ + --dport 53 -j REDIRECT --to-ports $TOR_DNS_PORT + + # Don't nat the Tor process and the loopback interface + $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN + $IPTABLES -t nat -A OUTPUT -o lo -j RETURN + + # Redirect all other to Tor's TransPort + $IPTABLES -t nat -A OUTPUT -p tcp -m tcp \ + --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $TOR_PORT + + # *filter INPUT + $IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT + $IPTABLES -A INPUT -i lo -j ACCEPT + $IPTABLES -A INPUT -j DROP + + # *filter FORWARD + $IPTABLES -A FORWARD -j DROP + + # *filter OUTPUT + $IPTABLES -A OUTPUT -m state --state INVALID -j DROP + $IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT + + # Allow Tor process output + $IPTABLES -A OUTPUT -o $INTERFACE -m owner --uid-owner $TOR_UID \ + -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state \ + --state NEW -j ACCEPT + + # Allow loopback output + $IPTABLES -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT + + # Tor transproxy magic + $IPTABLES -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT \ + --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT + + # Log & Drop everything else + $IPTABLES -A OUTPUT -j LOG \ + --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid + $IPTABLES -A OUTPUT -j DROP + + # Set default policies to DROP + $IPTABLES -P INPUT DROP + $IPTABLES -P FORWARD DROP + $IPTABLES -P OUTPUT DROP +} + +# MAIN ----------------------------------------------------------------------- # +# ---------------------------------------------------------------------------- # +if [ $USER != 'root' ] +then + echo "Must be root for run this script! Bye." + exit 99 +fi + +case "$1" in + start) + echo -n "Starting tor service..." + service tor start && echo "Done!" + ;; + stop) + echo -n "Stopping tor service..." + service tor stop && echo "Done!" + ;; + restart) + echo -n "Restarting tor service..." + service tor restart && echo "Done!" + ;; + status) + service tor status & + ;; + reset) + reset_iptables + ;; + proxy) + $0 reset + $0 restart + transparent_proxy + ;; + log) + tail -20 /var/log/tor/notices.log + ;; + *) + echo "Usage: $0 {start|stop|status|restart|reset|proxy|log}" + exit 2 + ;; +esac +exit 0