> Could you describe your use case + thread model? I'm terrible sorry for chaos I'm causing but right now I'm a very small and confused person :-) Let me start from the beginning... I'm using Privoxy + Tor combination. For Privoxy to properly handle TCP/HTTP requests and send them over Tor network I have "listen-address 127.0.0.1:8118" in my /etc/privoxy/config. Then, to make sure that Privoxy will be used globally, I added those four lines to /etc/environment: http_proxy="http://127.0.0.1:8118/" https_proxy="https://127.0.0.1:8118/" HTTP_PROXY=$http_proxy HTTPS_PROXY=$https_proxy Now all TCP/HTTP traffic should go through Privoxy -> Tor combination, at least in theory. As I understand Wireshark is the tool I should use to verify if that is what is happening in reality. I compiled Wireshark but don't understand yet how to use it so I will come back to verify routing of TCP/HTTP when I understand what I'm doing. Next, I tried to use torsocks to make sure UDP/DNS requests are resolved through Tor. To accomplish that I added to /etc/privoxy/config forward-socks4a / 127.0.0.1:9050 . forward-socks5 / 127.0.0.1:9050 . My /etc/torsocks.conf looks like this: local = 127.0.0.0/255.128.0.0 local = 127.128.0.0/255.192.0.0 local = 169.254.0.0/255.255.0.0 local = 172.16.0.0/255.240.0.0 local = 192.168.0.0/255.255.0.0 server = 127.0.0.1 server_port = 9050 But I have two problems with using torsocks: 1. Not all applications seems to be working with it, for example when I try "usewithtor empathy" I'm getting "Segmentation fault". Which is probably due to the problems with rejecting UDP: torsocks allows you to use most socks-friendly applications in a safe way with Tor. It ensures that DNS requests are handled safely and explicitly rejects UDP traffic from the application you're using. (from <https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorifyHOWTO>) 2. I would need to "usewithtor" every single application on my system to make sure DNS requests are resolved through Tor. Then I came around Transparently Routing Traffic Through Tor <https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy>. And this is where more confusion and problems started! What I want to achieve with this wiki is to make sure all UDP/DNS request will be send through Tor. Now I intend to follow Local Redirection Through Tor from mentioned wiki to the letter and that will hopefully resolve the case of leaking DNS. > # Block/reject all outgoing UDP traffic > > iptables -A OUTPUT -j REJECT > This rule does not block UDP only, it rejects all traffic including UDP > (if a packets makes its way to the last line). > So if I will go ahead with set-up from Local Redirection Through Tor it will allow out just the traffic going through Tor stopping any and every kind of no-Tor traffic from leaving my machine. But if I want to allow traffic from certain applications I could do it by setting up exception in iptables, right? And furthermore, with this solution there will be no need for me to use torsocks any more, yes? > > iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT > Why did you add -p udp here? Tor uses TCP. > My mistake! Fixed now. > I'm wondering why one would want to setup DNSPort configuration without > TransPort. That will be lack of knowledge on my part, I missunderstood informations from wiki. I got confused by this comment <http://www.hermann-uwe.de/blog/howto-anonymous-communication-with-tor-some-hints-and-some-pitfalls#comment-80205> which doesn't mention TransPort and thus I thought it is not necessary. > > I wonder why your uid should be different everytime you reboot, but you > can also use the name of the user instead of the numerical value. > Well I can't tell you why but that how it is. To double check I rebooted twice just now and "ps -A | grep -w tor" each time gave me different UID for tor. -- Tomasz Moskal <ramshackle.industries@xxxxxxxxx> Encrypted mail preferred. Key ID: 2C323C82
Attachment:
signature.asc
Description: This is a digitally signed message part