我在 Raspberry Pi 上运行一个 tor 路由器,并设置以下 iptables 规则(wlan0:带有客户端的内部网络 / wlan1:互联网):
:INPUT DROP [12:3771]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [544:242321]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -s 192.0.0.0/8 -i wlan0 -j LOG --log-prefix "SPOOFED PKT "
-A INPUT ! -s 192.0.0.0/8 -i wlan0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT ! -s 127.0.0.1/32 ! -d 127.0.0.1/32 ! -o lo -p tcp -m tcp --tcp-flags RST,ACK RST,ACK -j DROP
COMMIT
# Completed on Sat Mar 18 22:30:17 2023
# Generated by iptables-save v1.8.7 on Sat Mar 18 22:30:17 2023
*nat
:PREROUTING ACCEPT [609109:124689904]
:INPUT ACCEPT [272613:29686827]
:OUTPUT ACCEPT [2131:306630]
:POSTROUTING ACCEPT [1583:253278]
-A PREROUTING -d 192.168.42.1/32 -i wlan0 -p tcp -j REDIRECT
-A PREROUTING -i wlan0 -p tcp -j REDIRECT --to-ports 9040
-A PREROUTING -i wlan0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
-A PREROUTING -i wlan0 -p udp -j REDIRECT --to-ports 9040
-A POSTROUTING -o wlan1 -j MASQUERADE
COMMIT
一切正常。使用客户端上的浏览器(连接到wlan0)到达时https://check.torproject.org/显示正在使用 tor。我想添加 ip 表规则以排除某些域通过 tor 路由。这些域应从客户端转发到目的地并直接连接到目的地,就像我们在简单的 NAT/MASQUERADING 情况下所做的那样。例如,如果我们将规则设置为排除check.torproject.org(或我们从中获得的等效 IP 地址dig check.torproject.org +short),则使用客户端上的浏览器应该会显示不再使用 tor。
我尝试使用以下命令来添加这样的规则:
sudo iptables -t nat -I PREROUTING 1 -i wlan0 -d `dig check.torproject.org +short`/32 -j ACCEPT
或者:
sudo iptables -t nat -I PREROUTING 3 -i wlan0 -d <IPADRESS>/32 -j ACCEPT
我也尝试过结合使用:
sudo iptables -I FORWARD 1 -i wlan0 -d <IPADRESS>/32 -j ACCEPT
在所有这些情况下,客户端上的浏览器https://check.torproject.org/都会一直加载。浏览器似乎没有收到任何响应。我是否必须添加另一条 iptables 规则,还是我完全错了?
答案1
经过几个小时的尝试和研究,我决定采用不同的方法并使用ipset。基于现有的配置(参见顶部的 iptables 转储),我必须使用以下命令:
# Create and configure clearnet-list with ipset
sudo ipset create clearnet-list hash:ip
sudo ipset add clearnet-list <IPADDRESS> -exist
# -i is the interface where the clients are connected to the TorBox
# Delete rules, which are not needed anymore
sudo iptables -t nat -D PREROUTING -i wlan0 -p tcp -j REDIRECT --to-ports 9040
sudo iptables -t nat -D PREROUTING -i wlan0 -p udp -j REDIRECT --to-ports 9040
# Add new rules with ipset / clearnet-list support --> IP addresses, which are NOT on the clearnet-list are routed through tor (which means: most of them)
sudo iptables -t nat -I PREROUTING 3 -i wlan0 -m set ! --match-set clearnet-list dst -p tcp -j REDIRECT --to-port 9040
sudo iptables -t nat -I PREROUTING 7 -i wlan0 -m set ! --match-set clearnet-list dst -p udp -j REDIRECT --to-port 9040
# -i is the interface with the clients / -o is the interface with the Internet on it
# IP addresses, which are on the clearnet-list are directly routed through the Internet without tor
sudo iptables -I FORWARD 2 -i wlan0 -o eth0 -m set --match-set clearnet-list dst -j ACCEPT
# -i is the interface with the Internet on it / -o is the interface with the clients
# This rule is needed to route the the responses back to the client
sudo iptables -I FORWARD 1 -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
答案2
您需要向 nat 表的 PREROUTING 链添加规则。您尝试添加的规则不正确,因为它们仅允许传入到排除域的流量,而不允许传出流量。
例子:
sudo iptables -t nat -I PREROUTING 1 -i wlan0 -d 138.201.14.212/32 -j RETURN
应将此规则添加在将流量重定向到 Tor 的现有规则之前。
您需要使用要排除的域的 IP 地址,而不是其主机名,因为它iptables适用于 IP 地址,而不是主机名。
一些网站可能使用多个 IP 地址或 CDN,因此您可能需要排除多个 IP 地址才能完全绕过这些网站的 Tor。