Eu gostaria de tunelar o tráfego do meu roteador FON através de Tor . Para isso, adicionei uma segunda placa de rede a um servidor local e conectei o roteador FON a ela. Então eu configurei um servidor DHCP e configurei o serviço Tor. Isso tudo funciona. Agora vem a parte que não funciona: eu configurei um par de regras iptables para redirecionar o tráfego FON através da conexão de internet normal e o tráfego do cliente FON através do Tor. Isso funciona um pouco: o roteador FON pode se registrar no FON, mas de alguma forma depois de um tempo, fon diz que o roteador está offline. As regras do iptables são:
# 192.168.69.0/24 -> fon lan
# destinations not routed through Tor
NON_TOR="192.168.0.0/16 172.29.0.0/24"
# TOR user
TOR_UID="117"
# Tor's TransPort
TRANS_PORT="9040"
# interface to tor router
INT_IF="eth2"
# interface to internet
EXT_IF="eth0"
iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
# radius
for i in 160 161 162 163
do
iptables -A INPUT -i $INT_IF -p udp --destination-port 1812:1813 -j ACCEPT
iptables -A FORWARD -i eth2 -o $EXT_IF -p udp -s 192.168.69.0/24 --destination-port 1812:1813 -d 213.134.45.$i -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.69.0/24 --destination-port 1812:1813 -d 213.134.45.$i -j ACCEPT
iptables -A INPUT -i $INT_IF -p tcp --destination-port 1812:1813 -j ACCEPT
iptables -A FORWARD -i eth2 -o $EXT_IF -p tcp -s 192.168.69.0/24 --destination-port 1812:1813 -d 213.134.45.$i -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.69.0/24 --destination-port 1812:1813 -d 213.134.45.$i -j ACCEPT
iptables -A INPUT -i $INT_IF -p udp --destination-port 1812:1813 -j ACCEPT
done
# 1938
iptables -A INPUT -i $INT_IF -p tcp --destination-port 1938 -j ACCEPT
iptables -A FORWARD -i eth2 -o $EXT_IF -p tcp -s 192.168.69.0/24 --destination-port 1938 -d 213.134.45.190 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.69.0/24 --destination-port 1938 -d 213.134.45.190 -j ACCEPT
# 53
iptables -A INPUT -i $INT_IF -p udp --destination-port 53 -j ACCEPT
iptables -A FORWARD -i eth2 -o $EXT_IF -p udp -s 192.168.69.0/24 --destination-port 53 -d 213.134.45.190 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.69.0/24 --destination-port 53 -d 213.134.45.190 -j ACCEPT
# 1937
iptables -A INPUT -i $INT_IF -p tcp --destination-port 1937 -j ACCEPT
iptables -A FORWARD -i eth2 -o $EXT_IF -p tcp -s 192.168.69.0/24 --destination-port 1937 -d 213.134.45.191 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.69.0/24 --destination-port 1937 -d 213.134.45.191 -j ACCEPT
# 123
iptables -A INPUT -i $INT_IF -p udp --destination-port 123 -j ACCEPT
iptables -A FORWARD -i eth2 -o $EXT_IF -p udp -s 192.168.69.0/24 --destination-port 123 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.69.0/24 --destination-port 123 -j ACCEPT
iptables -A FORWARD -i eth2 -o $EXT_IF -d 192.168.0.0/16 -j REJECT
iptables -A FORWARD -i eth2 -o $EXT_IF -p udp -d 0.0.0.0/0 -j REJECT
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
for NET in $NON_TOR; do
iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
done
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT
Tags networking iptables tor