[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Yet another UDP / DNS quiestion...



I feel that I should explain something before I start asking any
questions so here we go: I'm a fresh convert to Linux (barely few week
on Ubuntu!) and as much as I'm fascinated by the matters relating to
networking, security and anonymity in equal measure I'm intimidated by
them. I don't posses any deep knowledge of those topics, I still barely
can handle the basics. But with the wealth of knowledge out there and a
healthy dose of experimentation I intend to change this. So if my
questions are naive (or plainly stupid) please bear in mind that I'm new
here. And now for what is bordering me...

I was reading Transparently Routing Traffic Through Tor
<https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy> and although I don't need to run Tor as transparent proxy I like the idea of routing the UDP/DNS requests to localhost. If I will reroute all those requests with iptables to the port on which Tor is listening I should have no problems with DNS leaking, right? That should do the trick then:

1. torrc 

DNSPort 53
DNSListenAddress 127.0.0.1

2. resolv.conf

nameserver 127.0.0.1

3. iptables 

iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT
--to-ports 53
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT

I'm not an expert regarding iptables and 'man iptables' is *very*
frightening for someone who barely slides on the surface of all this.
From steep three above I sort of understand purpose of rules three and
four but rest of them... Are they needed in this example or they can be
safely omitted? If in fact they are required for this set-up to work
what is their purpose? I will of course replace $INT_IF and $TOR_UID
with required values.


-- 
Tomasz Moskal <ramshackle.industries@xxxxxxxxx>
Encrypted mail preferred. Key ID: 2C323C82


Attachment: signature.asc
Description: This is a digitally signed message part