Project

General

Profile

Support #852

Setup a Transparent TOR System Proxy on Arch Linux

Added by Daniel Curtis about 8 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
The Onion Router (TOR)
Target version:
Start date:
09/25/2016
Due date:
% Done:

100%

Estimated time:
1.00 h
Spent time:

Description

This is a guide on setting up a transparent system proxy over TOR on Arch Linux.

Prepare the Environment

  • Make sure the system is up to date:
    pacman -Syu
    

Install TOR

  • Install TOR:
    pacman -S tor
    
  • Edit the tor config file:
    nano /etc/tor/torrc
    
    • And add/modify the following values:
      SocksPort 9050
      DNSPort 5353
      TransPort 9040
      
  • Start and enable tor at boot:
    systemctl enable tor
    systemctl start tor
    

Configure IPTables

  • Install iptables:
    pacman -S iptables
    
  • Enable the required kernel modules:
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ip_conntrack
    modprobe iptable-filter
    modprobe ipt_state
    
  • Create the iptables rules file:
    sudo nano /etc/iptables/iptables.rules
    
    • And add the following:
      *nat
      :PREROUTING ACCEPT [6:2126]
      :INPUT ACCEPT [0:0]
      :OUTPUT ACCEPT [17:6239]
      :POSTROUTING ACCEPT [6:408]
      
      -A PREROUTING ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
      -A PREROUTING ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
      -A OUTPUT -o lo -j RETURN
      --ipv4 -A OUTPUT -d 192.168.0.0/16 -j RETURN
      -A OUTPUT -m owner --uid-owner "tor" -j RETURN
      -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353
      -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
      COMMIT
      
      *filter
      :INPUT DROP [0:0]
      :FORWARD DROP [0:0]
      :OUTPUT DROP [0:0]
      
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      --ipv4 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
      --ipv4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
      --ipv4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
      --ipv6 -A INPUT -j REJECT
      --ipv4 -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
      --ipv4 -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
      --ipv6 -A OUTPUT -d ::1/8 -j ACCEPT
      -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A OUTPUT -m owner --uid-owner "tor" -j ACCEPT
      --ipv4 -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
      --ipv6 -A OUTPUT -j REJECT
      COMMIT
      

      NOTE: Make sure to change the network address in the iptables rule file to the appropriate network address.
  • Create a link to enable the rules for IPv6:
    ln -s /etc/iptables/iptables.rules /etc/iptables/ip6tables.rules
    
  • Start and enable the iptables rules at boot:
    systemctl start iptables
    systemctl start ip6tables
    systemctl enable iptables
    systemctl enable ip6tables
    

Autostart

  • Edit the display-manager systemd unit file:
    nano /etc/systemd/system/display-manager.service
    
    • And add the Requires=iptables.service and Requires=ip6tables.service at the end of the [Unit] tag:
      [Unit]
      Description=LXDE Display Manager
      Conflicts=getty@tty1.service plymouth-quit.service
      After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
      Requires=iptables.service
      Requires=ip6tables.service
      
      [Service]
      ExecStart=/usr/sbin/lxdm
      Restart=always
      IgnoreSIGPIPE=no
      
      [Install]
      Alias=display-manager.service
      
  • Reload systemd:
    sudo systemctl --system daemon-reload
    
  • Reboot:
    reboot
    

Resources

#1

Updated by Daniel Curtis about 8 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
#2

Updated by Daniel Curtis about 8 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF