anonymizer/anonymizer.sh
netico 49e32e8324
Add files via upload
Shell implementation
2020-02-05 12:22:27 +01:00

163 lines
5.8 KiB
Bash

#!/bin/bash
# NAME: anonymizer.sh #
# DESCRIPTION: Transparently routing traffic through Tor #
# VERSION: 0.1.0 #
# AUTHOR: netico <netico@riseup.net> #
# ---------------------------------------------------------------------------- #
# This code is free software; you can redistribute it and/or modify it under #
# the terms of the GNU General Public License version 3 only, as published by #
# the Free Software Foundation. #
# This code is distributed in the hope that it will be useful, but WITHOUT ANY #
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS #
# FOR A PARTICULAR PURPOSE. #
# DOCUMENTATION -------------------------------------------------------------- #
# ---------------------------------------------------------------------------- #
# https://www.torproject.org/ #
# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy #
# https://www.netfilter.org/projects/iptables/index.html #
# #
# To enable the transparent proxy and the DNS proxy add the following lines to #
# /etc/tor/torrc: #
# #
# VirtualAddrNetworkIPv4 10.192.0.0/10 #
# AutomapHostsOnResolve 1 #
# TransPort 9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr \ #
# IsolateDestPort #
# DNSPort 5353 #
# #
# Configure your system's DNS resolver to use Tor's DNSPort on the loopback #
# interface by modifying /etc/resolv.conf: #
# #
# nameserver 127.0.0.1 #
# CONFIGURATION -------------------------------------------------------------- #
# ---------------------------------------------------------------------------- #
INTERFACE=enp7s0
TOR_UID=112
TOR_PORT=9040
TOR_DNS_PORT=5353
VIRTUAL_ADDRESS="10.192.0.0/10"
IPTABLES=$(which iptables)
# FUNCTIONS ------------------------------------------------------------------ #
# ---------------------------------------------------------------------------- #
reset_iptables () {
echo "Resetting iptables rules"
# Reset policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
# Flush rules and erase non default chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
}
transparent_proxy () {
echo "Adding iptables rules for interface $INTERFACE"
# *nat OUTPUT (local redirection)
# .onion addresses
$IPTABLES -t nat -A OUTPUT -d $VIRTUAL_ADDRESS -p tcp -m tcp \
--tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $TOR_PORT
# DNS requests to Tor
$IPTABLES -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp \
--dport 53 -j REDIRECT --to-ports $TOR_DNS_PORT
# Don't nat the Tor process and the loopback interface
$IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
$IPTABLES -t nat -A OUTPUT -o lo -j RETURN
# Redirect all other to Tor's TransPort
$IPTABLES -t nat -A OUTPUT -p tcp -m tcp \
--tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $TOR_PORT
# *filter INPUT
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j DROP
# *filter FORWARD
$IPTABLES -A FORWARD -j DROP
# *filter OUTPUT
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# Allow Tor process output
$IPTABLES -A OUTPUT -o $INTERFACE -m owner --uid-owner $TOR_UID \
-p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state \
--state NEW -j ACCEPT
# Allow loopback output
$IPTABLES -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
# Tor transproxy magic
$IPTABLES -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT \
--tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
# Log & Drop everything else
$IPTABLES -A OUTPUT -j LOG \
--log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
$IPTABLES -A OUTPUT -j DROP
# Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
}
# MAIN ----------------------------------------------------------------------- #
# ---------------------------------------------------------------------------- #
if [ $USER != 'root' ]
then
echo "Must be root for run this script! Bye."
exit 99
fi
case "$1" in
start)
echo -n "Starting tor service..."
service tor start && echo "Done!"
;;
stop)
echo -n "Stopping tor service..."
service tor stop && echo "Done!"
;;
restart)
echo -n "Restarting tor service..."
service tor restart && echo "Done!"
;;
status)
service tor status &
;;
reset)
reset_iptables
;;
proxy)
$0 reset
$0 restart
transparent_proxy
;;
log)
tail -20 /var/log/tor/notices.log
;;
*)
echo "Usage: $0 {start|stop|status|restart|reset|proxy|log}"
exit 2
;;
esac
exit 0