You are not logged in.
Pages: 1
Topic closed
Hello arch-community,
after a long while of searching and trying I don't still found any solution for my problem, so I'm here.
I want to do this: http://www.howtoforge.com/how-to-set-up … or-network on my arch but the first problem is that there is no file called /etc/network/interfaces.
So I have to get a bridge with the arch tools on following settings:
auto vnet0
iface vnet0 inet static
address 172.16.0.1
netmask 255.255.255.0
bridge_ports none
bridge_maxwait 0
bridge_fd 1
up iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
down iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
My idea is to start the bridge like this:
brctl addbr br0
ifconfig vnet0 172.16.0.1 netmask 255.255.255.0 up
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
But there are missing these options:
auto vnet0
vnet0 inet static
bridge_ports none
bridge_maxwait 0
bridge_fd 1
And I don't know how to set them.
For the rest it should be the same as the tutorial.
Sry for my bad english...
Thx
--------------------------------------------------
Edit:
Some more informations
I just tried to do the tutorial without the settings I can't find:
brctl addbr vnet0
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
ifconfig vnet0 172.16.0.1 netmask 255.255.255.0 up
/etc/dnsmasq.conf = interface=vnet0
dhcp-range=172.16.0.2,172.16.0.254,1h
systemctl start dnsmasq.service
/etc/tor/torrc =
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
DNSPort 53
DNSListenAddress 172.16.0.1
systemctl start tor.service
middlebox.sh :
#!/bin/sh
# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24"
# Tor's TransPort
TRANS_PORT="9040"
# your internal interface
INT_IF="vnet0"
iptables -F
iptables -t nat -F
for NET in $NON_TOR; do
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
Now i can connect with my host through 172.16.0.1:9040 as SOCKS
but in my Virtualbox VM I doesn't even get the correct IP from dnsmasq. Also if I set manually the IP, Gateway and DNS the VM doesn't connect. On the VM is WinXP
netstat -nr returns:
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 wlan0
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vnet0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
iptables -t nat -L returns:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- anywhere 192.168.1.0/24
REDIRECT udp -- anywhere anywhere udp dpt:domain redir ports 53
REDIRECT tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN redir ports 9040
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
and nmap 172.16.0.1 returns:
Nmap scan report for 172.16.0.1
Host is up (0.000013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
53/tcp open domain
9040/tcp open tor-trans
I think it looks all OK, but the VM have absolute not connection to vnet0.
Last edited by NeedH31P (2012-10-16 15:15:40)
Offline
Is here someone, who can help me or who knows, where I can find a solution.
Offline
Much of what I see seems fine.
One thing you could do to make things simpler would be this...
Instead of trying to mess with the network VirtualBox creates... simply create a bridge device and tap devices. Then in VirtualBox, go to the networking config of the VM's, and configure them to use tap0, tap1, tap2 and so on. That way you at least know for sure the VM is connected to the bridge device. Then configure a static IP in the VM instead of useing dnsmasq, so you know the VM has an IP in the correct subnet.
brctl addbr br0
tunctl -u $USER -g users
brctl addif br0 tap0
ifconfig br0 172.16.0.1 netmask 255.255.255.0 up
ifconfig tap0 up
Now all you have to do is configure iptables.
Also, check netstat -nvl to make sure Tor is listening on the port it should be, and that it is listening on the IP it should be.
Really, this is good stuff to learn. Keep at it. Instead of going for scripts right away, configure it by hand until you get it to work. In the process of doing this you will learn a lot, so keep at it ... sorry I don't have time right now to hammer out all the configs for you, but what I can say is that it looks like you have all the command there to get the job done, but some little thing is incorrect.
Owe, and maybe you also need to enable ip_forwarding
cat /proc/sys/net/ipv4/ip_forward
sudo echo '1' > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
Last edited by hunterthomson (2012-10-25 09:06:23)
OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec
Offline
I was just working on this problem, and this thread set me on the correct path, so I wanted to post my working configuration. The original tutorial from HowtoForge is based on information found here: https://trac.torproject.org/projects/to … arentProxy
I think the original poster ran into 'iptables -F', and 'iptables -t nat -F' in the script they posted. These were a problem because it flushes existing rules and destroys the masquerade. As far as DHCP goes, some VMs were able to get an address, and some did not, and those I was able to set manually without a problem.
First, I am using KVM and virt-manager, and it creates tap devices for me, but you might need to change that for other setups. I chose to use vidalia because I like the interface, and it was helpful while debugging. The traffic graph is also a good check to see things working. The overall procedure works, but I would rather not run it as root, however this was more of a proof of concept so I didn't care. If you plan on running this configuration in any serious manner, I suggest you change this to work with the systemd service.
/etc/dnsmasq.conf
interface=torbr0
dhcp-range=172.16.0.100,172.16.0.150,1h
I left the system torrc file alone, but here is the content anyway.
/etc/tor/torrc
## CONFIGURED FOR ARCHLINUX
## Last updated 22 July 2005 for Tor 0.1.0.13.
SocksPort 9050 # what port to open for local application connections
SocksBindAddress 127.0.0.1 # accept connections only from localhost
AllowUnverifiedNodes middle,rendezvous
Log notice syslog
RunAsDaemon 1
User tor
Group tor
DataDirectory /var/lib/tor
I did the extra configurations in the user specific torrc so that I could edit it with the GUI, and also have quick access to the logging interface when I broke stuff.
/root/.vidalia/torrc
AutomapHostsOnResolve 1
ControlPort 9051
DataDirectory /root/.tor
DirReqStatistics 0
DNSPort 53
DNSListenAddress 172.16.0.1
Log notice stdout
TransListenAddress 172.16.0.1
TransPort 9040
VirtualAddrNetwork 10.192.0.0/10
/usr/local/bin/tor-middlebox.sh
Warning: This setup runs Vidalia as root, and in a perfect world it should not.
#!/bin/sh
# destinations you don't want routed through Tor
NON_TOR=(192.168.1.0/24)
# Tor's TransPort
TRANS_PORT="9040"
# your internal interface
INT_IF="torbr0"
brctl addbr torbr0
ifconfig torbr0 172.16.0.1 netmask 255.255.255.0 up
sysctl net.ipv4.ip_forward=1
systemctl start dnsmasq
vidalia &
iptables -F
iptables -t nat -F
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
for NET in $NON_TOR; do
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
Offline
Hi,
Here is my solution I just tinkered based on several other articles (1. & 2. + Arch wiki) and adjusted for Arch running system:
1. Install some necessary packages: 'sudo pacman -S tor iptables'
2. Enable packet forwarding: 'sudo echo net.ipv4.ip_forward=1 > /etc/sysctl.d/30-ipforward.conf'
3. Load the previous point's setting without a reboot: 'sudo sysctl --system'
4. Create new NIC (a bridged MACVLAN) 'sudo vim /etc/netctl/tor0_bridge' and update it with following:
Description='eth0-tor macvlan bridge interface'
Interface=tor0
Connection=macvlan
BindsToInterfaces=(eth0)
MACAddress=1a:2b:3c:4d:5e:6e
Mode=bridge
IP=static
Address='172.16.0.1/24'
SkipForwardingDelay=yes
IP6=no
5. Either enable the new NIC to be started by default after system start 'sudo netctl enable tor_bridge' and/or start it manually 'sudo netctl start tor_bridge', it's up to you. Afterwards you can check the new NIC via 'ip addr' command, where you should see new interface like tor0@eth0.
6. Tor config - add the following to the end of the Tor cfg file 'sudo vim /etc/tor/torrc':
RunAsDaemon 0
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
DNSPort 9053
DNSListenAddress 172.16.0.1
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
7. Either enable the Tor to be started by default after system start 'sudo systemctl enable tor.service' and/or start it manually 'sudo systemctl start tor.service', it's up to you.
8. iptables config - if you have no *filter rules configured (no DROP or REJECT in the INPUT, OUTPUT, FORWARD chains), you should be fine with the following *nat (+ save it: iptables-save, of course):
iptables -t nat -A PREROUTING -i tor0 -d 192.168.0.0/24 -j RETURN
iptables -t nat -A PREROUTING -i tor0 -p udp -m udp --dport 53 -j REDIRECT --to-port 9053
iptables -t nat -A PREROUTING -i tor0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-port 9040
iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
9. If you do have the iptable's *filter configured (to DROP or REJECT), in addittion to the previous point also the following would be required, in order to pass through:
iptables -A INPUT -i tor0 -p tcp --dport 9040 -j ACCEPT
iptables -A INPUT -i tor0 -p udp --dport 9053 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable
or just replace the first two lines with simper 'iptables -A INPUT -i tor0 -j ACCEPT'
10. Configure the VirtualBox VM to use "Bridged Adapter" tor0 NIC only.
11. When you start the VM, configure it to use IP address e.g. 172.16.0.2-254/24 or you can set up the dnsmasq on your host to provide a DHCP address for the VM.
P.S.1: the ICMP will be returning only "icmp-host-unreachable", but the DNS & TCP should be working.
P.S.2: feel free to improve this HOWTO (especially the iptables part, where I'm still an amateur).
Logic clearly dictates that the needs of the many outweigh the needs of the few.
Offline
8472, please read our guidelines on leaving the dead to rest in peace: https://wiki.archlinux.org/index.php/Fo … bumping.22
This is a 3 year thread; a lot has changed in Arch in that time. OP hasn't visited the forums in 18 months. They've either solved their issue, or no longer need to solve it.
Closing.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Pages: 1
Topic closed