我正在尝试为 Tor 和 Tor Browser Bundle 设置 iptables 策略,这似乎很少见,从网上搜索来看,我从未找到过 TBB 的 iptables 设置,而且没有提到其完整的默认端口(socks、control、trans 和 DNS)。与 Tor 相关的许多 iptables 配置都很复杂,主要是以 transproxying 的名义,这里是次要问题。典型的桌面 Tor 策略不适合适应。
我关心的是,通过在 iptables 中专门指定 TBB,在更严格的环境中以最少的规则集运行 TBB,我发现只有通过指定 tor 端口才有可能实现这一点(无论如何都应该是可能的),将 DNS 隔离到 TBB,并确保在不影响隔离的情况下维持连接(即避免 DNS 泄漏)和最少的额外数据包传输。考虑到移动使用情况,这更具挑战性。
到目前为止,我已经能够在其 torrc 文件中指定 TBB 的端口和 DNS,经过几次尝试观察后,重新指定的默认值显然完全破坏了 TBB 的操作(重新分配的端口号没有,这是一个怪癖):TBB 现在将使用我指定的端口启动而不会出现任何问题。
此处显示的基本 iptables 策略由最少的 NAT 规则组成,用于将 DNS 映射到 tor DNS 端口并将 UDP 转储到端口 9(根据 /etc/services 丢弃)、过滤器 RELATED ESTABLISHED 规则和 Tor 本身的三个传出端口(据我所知,环回允许和 icmp/igmp 阻止是可有可无的详细信息,但已显示)。我不清楚是否必须指定 Tor 分配的 DNS 端口(NAT 重定向除外)- 我见过这样做,但鉴于无法以其他方式隔离 TBB(例如通过 UID),我会认为它存在泄漏风险。根据我能找到的少量信息,Tor 通过洋葱路由路由 DNS 并在其出口节点末尾执行 DNS:但它自己的 DNS 端口是否需要在过滤规则中打开?
从 -nvL 读数中可以看出,Tor 端口本身没有显示传出的数据包,并且在环回之后,所有数据包都被转储到过滤规则末尾添加的最终 DROP 策略中。
我最初的假设是,在没有单独的 DNS 和 DHCP 允许的情况下,连接只是断掉了。如果我切换回 clearnet 策略,并在过滤器中允许 DNS 和 DHCP,则必须重新启动连接才能重新获得对网络的访问权限,这表明了这一点。此外,如果我 -nvL clearnet 策略,可以看到 DNS 和 DHCP 端口没有传输任何数据,所有这些都必须经过一般的全协议允许,这使得 DNS 和 DHCP 对于大多数公共连接毫无意义。这在移动环境中通常是有问题的,因为能够控制(或重新拥有)来自 ISP、强制门户等的 DNS 查找很有价值。
Tor 自己的日志通常显示“一般的 socks 服务器故障”,但我也不清楚如果没有数据包通过 socks、控制和传输进行移动,Tor 怎么会走到这一步。
我尝试过在 NAT 表 DNS 重定向中包含 UDP(无变化),在 INPUT 和 OUTPUT 过滤规则中允许 DHCP(无变化),并在 OUTPUT 过滤规则中包含分配的 Tor DNS 端口(此处为 5353)(无变化)。如果恢复标准 clearnet 策略,TBB 将成功运行并快速解决网络问题,这表明问题肯定是由 iptables 引起的。
TBB IPTables 政策:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [4:240]
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 9
-A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 5353
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p igmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i wlan0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 9251 -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 9250 -j ACCEPT
-A OUTPUT -o wlan0 -p tcp -m tcp --sport 9240 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
IPTables 输出(-nvL):
Chain INPUT (policy DROP 8 packets, 798 bytes)
pkts bytes target prot opt in out source destination
9514 534K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT 2 -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
2 181 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9514 534K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * wlan0 0.0.0.0/0 0.0.0.0/0 tcp spt:9251
0 0 ACCEPT tcp -- * wlan0 0.0.0.0/0 0.0.0.0/0 tcp spt:9250
0 0 ACCEPT tcp -- * wlan0 0.0.0.0/0 0.0.0.0/0 tcp spt:9240
35 2300 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Tor 日志 1:
01/12/2018 12:06:17.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
01/12/2018 12:06:17.600 [NOTICE] Switching to guard context "bridges" (was using "default")
01/12/2018 12:06:30.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all
01/12/2018 12:06:30.900 [NOTICE] Opening Socks listener on 127.0.0.1:9250
01/12/2018 12:06:30.900 [NOTICE] Opening Socks listener on 127.0.0.1:9150
01/12/2018 12:06:30.900 [NOTICE] Opening DNS listener on 127.0.0.1:5353
01/12/2018 12:06:30.900 [NOTICE] Opening Transparent pf/netfilter listener on 127.0.0.1:9240
01/12/2018 12:06:32.800 [NOTICE] Bootstrapped 5%: Connecting to directory server
01/12/2018 12:06:32.800 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
01/12/2018 12:06:34.000 [WARN] Proxy Client: unable to connect to 109.105.109.163:47779 ("general SOCKS server failure")
01/12/2018 12:06:34.000 [WARN] Proxy Client: unable to connect to 109.105.109.163:38980 ("general SOCKS server failure")
01/12/2018 12:06:34.000 [WARN] Proxy Client: unable to connect to 169.229.59.75:46328 ("general SOCKS server failure")
01/12/2018 12:06:34.000 [WARN] Proxy Client: unable to connect to 83.212.101.3:80 ("general SOCKS server failure")
01/12/2018 12:08:46.000 [NOTICE] Closing no-longer-configured Transparent pf/netfilter listener on 127.0.0.1:9240
(Closing, etc.)
Tor 日志 2:
01/12/2018 12:10:06.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
01/12/2018 12:10:21.800 [NOTICE] Opening Socks listener on 127.0.0.1:9250
01/12/2018 12:10:21.800 [NOTICE] Opening Socks listener on 127.0.0.1:9150
01/12/2018 12:10:21.800 [NOTICE] Opening DNS listener on 127.0.0.1:5353
01/12/2018 12:10:21.800 [NOTICE] Opening Transparent pf/netfilter listener on 127.0.0.1:9240
01/12/2018 12:10:23.300 [NOTICE] Bootstrapped 5%: Connecting to directory server
01/12/2018 12:10:23.300 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 85.31.186.26:443 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 37.218.245.14:38224 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 154.35.22.11:443 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 109.105.109.147:13764 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 109.105.109.165:10527 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 154.35.22.13:443 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 192.95.36.142:443 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 38.229.1.78:80 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 154.35.22.10:15937 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 154.35.22.9:443 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 83.212.101.3:50002 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 85.17.30.79:443 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 192.99.11.54:443 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 38.229.33.83:80 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 85.31.186.98:443 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 154.35.22.12:80 ("general SOCKS server failure")
01/12/2018 12:10:24.200 [WARN] Proxy Client: unable to connect to 37.218.240.34:40035 ("general SOCKS server failure")
01/12/2018 12:11:01.200 [NOTICE] Closing no-longer-configured Transparent pf/netfilter listener on 127.0.0.1:9240
(Closing, etc.)