S
S
Sergey782017-09-02 14:44:14
C++ / C#
Sergey78, 2017-09-02 14:44:14

IPTables, TOR, Transparent proxy. Why refused?

I do a transparent redirection of traffic to the Tor network on a router (debian).
Tor itself works on the router, if you connect to it as socks5, everything opens.
You can also connect to the hidden service from the tor network.
In /etc/tor/torrc config:

TransPort 9040
DNSPort 127.0.0.1:5300
VirtualAddrNetworkIPv4 172.16.0.0/12
AutomapHostsOnResolve 1
ExcludeExitNodes {RU}

HiddenServiceDir /var/lib/tor/sergey/
HiddenServicePort 22 127.0.0.1:22

Tor starts up, listens on ports:
[email protected]:/var/log# netstat -ntap|grep LIST|grep tor
tcp        0      0 127.0.0.1:9040          0.0.0.0:*               LISTEN      4271/tor            
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      4271/tor

DNS works fine, .onion on clients in the locale resolves to the network 172.16.0.0/12
The iptables rules are simplified as much as possible:
#!/bin/sh
iptables -F
iptables -t nat -F

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -i br0 -p tcp -d 172.16.0.0/12 -j LOG --log-prefix "REDIRECT to tor: "
iptables -t nat -A PREROUTING -i br0 -p tcp -d 172.16.0.0/12 -j REDIRECT --to-ports 9040

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

The LOG action is just to see what packets are getting in.
br0 - interface to which the local network is connected, 192.168.143.0/24
eth1 - interface with the Internet
I try to connect:
# curl -v http://flibustahezeous3.onion/
*   Trying 172.18.168.66...
* connect to 172.18.168.66 port 80 failed: В соединении отказано
*   Trying febd:6df4:bc82:357d:c8f0:a28:bfbb:7964...
* Immediate connect fail for febd:6df4:bc82:357d:c8f0:a28:bfbb:7964: Недопустимый аргумент
*   Trying febd:6df4:bc82:357d:c8f0:a28:bfbb:7964...
* Immediate connect fail for febd:6df4:bc82:357d:c8f0:a28:bfbb:7964: Недопустимый аргумент
* Failed to connect to flibustahezeous3.onion port 80: В соединении отказано
* Closing connection 0
curl: (7) Failed to connect to flibustahezeous3.onion port 80: В соединении отказано

From browsers it also answers that ERR_CONNECTION_REFUSED.
The IPTables entry also appears in the log:
Sep  2 14:36:19 debian kernel: [ 2936.037786] REDIRECT to tor: IN=br0 OUT= MAC=bc:5f:f4:de:c9:28:10:0b:a9:2f:b8:44:08:00 SRC=192.168.143.12 DST=172.18.168.66 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18431 DF PROTO=TCP SPT=57516 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

Why does not it work?
Is there any way to track that the -j REDIRECT rule is working?
I tried to watch tcpdump -i lo net 172.16.0.0/12, nothing gets empty.
Looked at all interfaces:
[email protected]:/var/log# tcpdump -i any net 172.16.0.0/12
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:39:54.221000 IP 192.168.143.12.57528 > 172.18.168.66.http: Flags [S], seq 914463515, win 29200, options [mss 1460,sackOK,TS val 10980812 ecr 0,nop,wscale 7], length 0
14:39:54.221000 IP 192.168.143.12.57528 > 172.18.168.66.http: Flags [S], seq 914463515, win 29200, options [mss 1460,sackOK,TS val 10980812 ecr 0,nop,wscale 7], length 0
14:39:54.221034 IP 172.18.168.66.http > 192.168.143.12.57528: Flags [R.], seq 0, ack 914463516, win 0, length 0
14:39:54.221037 IP 172.18.168.66.http > 192.168.143.12.57528: Flags [R.], seq 0, ack 1, win 0, length 0

I have a suspicion that for some reason REDIRECT does not work and the packets go to the provider. How can this be checked?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
S
Sergey78, 2017-09-02
@Sergey78

I'll answer myself.
It looks like the REDIRECT action can only change the port, not the interface. In the torrc config I changed:
TransPort 9040
to
TransPort 192.168.143.1:9040
and everything worked.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question