Trying to run Virtualbox through TOR middlebox - linux

i REALLY need some help before my laptop goes through the wall.
I want to run a virtual machine through tor middlebox. I want the entire VM`s connection to go through the tor network. (Im wanting to setup my hidden service and for my needs this will work best)
I started by looking here - http://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network
I know this is old but i figured i`d give it a go anyway.
For reference my Host machine is running Ubuntu 13.04 and the VM will be running 12.04LTS. On virtualbox
Well i have tor installed as per the guide, i have gone though the setup steps. But it didnt work. My VM will not connect to the net. I checked ifconfig and i am recieving an ip address, but i cant get a connection to the web to check i am running through tor.
I`ve spent a good few hours on this but i cant get it working, im just at point and click mode now. Looked at so many sites, and almost all of them point back to the original. I have tried tweaking the settings, and looked at numerous forums. But i cant get this working.
If i try using the tor browser bundle, it refuses to start tor, stating the it hasn`t got permission or cant listen on 172.16.0.1:53. tried using vidalia bundle for the tor install but that refuses to find the tor exec (not really an issue)
Here are the settings i am trying to run with...
/etc/network/interfaces
as stated in guide
/etc/dnsmasq.conf
interface=vnet0
listen-address=192.168.1.1
dhcp-range=172.16.0.2,172.16.0.254,1h
/etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
TransListenAddress 192.168.1.1
DNSPort 53
DNSListenAddress 172.16.0.1
DNSListenAddress 192.168.1.1
middlebox.sh
#!/bin/sh
# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24 192.168.0.0/24"
# the UID Tor runs as
TOR_UID="109"
# Tor's TransPort
TRANS_PORT="9040"
# your internal interface
INT_IF="vnet0"
iptables -F
iptables -t nat -F
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
for NET in $NON_TOR; do
iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
done
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT

Does this article help you? http://www.mike-warren.com/articles/routing-vm-traffic-through-tor.html
The short version is:
host runs a tun/tap device
host runs a VDE switch (which puts packets from the VM into the tap device)
host has iptables NAT rules to shovel tap device traffic into Tor
host runs Tor as transparent proxy
VM has static IP, connected to VDE switch
Instead of all that, you could run TAILS instead. https://tails.boum.org/

Consider running tails as vm guest.
Use a vm snapshot to avoid booting from tails live dvd (iso)

Related

Transparent Proxy Squid with internal and external network

I have network setup like this with external and internal network.
I have successfully got squid running with proxy for internal browser and now I want to set up as transparent but having some problem.
network
First, I did change "http_port 8080 intercept" but having trouble with setting up correct Iptables on the external server as the packet is not getting back to squid box.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -0 lo -j ACCEPT
iptables -t nat -A POSTROUTING -o enpos3 (this is NAT) -j MASQUERADE
iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.254:8080
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 80 -j REDIRECT --to-port 8080
This is far as I got and internet works fine on internal pc but I'm not sure how to redirect http 80 packet to Squid box (10.10.1.254:8080)
Couple of things.
From the diagram it is not clear where is the Squid Box. Considering you are setting up a Transparent proxy it will be in between your internal network and WAN connection which I believe you might have taken care of. Please check
Considering this a dual homed box you need to set Default Gateway to point to your Squid Box WAN interface.
You do need Reverse Path Forwarding enabled.
Last but least IP packet forwarding enabled.

Why i see DST="127.0.0.53" on -j REDIRECTed packets?

I am confused about situation in my NATed network. I start dnsmasq on router, with listen-address=192.168.100.1 and -p 5353 option for DNS port. Afterwards, i add iptables rule for hosts inside that network:
iptables -t nat -I PREROUTING -s 192.168.100.0/24 \
-d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
But this didn't work first time, since my INPUT policy is DROP: when i add this rule, everything starts to work:
iptables -I INPUT -p udp --dport 53 -d 127.0.0.53 -j ACCEPT
I discovered this address with help of -j LOG on my INPUT chain, where i saw packets dropped like SRC=127.0.0.1 DST=127.0.0.53 ..., when NATed host is trying to resolve hostname.
As i am writing automated script that generates correct netfilter rules for situation, i need to know from where this 127.0.0.53 could come from.
I see the same address in /etc/resolv.conf. But i don't understand who's routing this packet to this address when it is "redirected", if even close to understanding what happens.
systemd-resolved sets up a stub listener for dns requests locally on 127.0.0.53:53
try disabling it to proceed sudo systemctl disable systemd-resolved

linux PPTP server relay

I want to create a VPS both has PPTP server and client, and this VPS is used as a relay.
There are two server: VPS1 and VPS2, both install PPTPD, and VPS1 install pptp client.
I want have this:
user ---- PPTP ----> VPS1 ----- PPTP ----> VPS2
user connect to VPS1, and all the network traffic route to VPS2.
I'm doing this because user is hard to connect VPS2 directly, need an middle server to work as relay.
How can I config iptable to make it work? Thanks.
Strange usage of PPTP. Your ISP must be Shanghai, China Telecom.
If you route all the network traffic in VPS1 to VPS2, you have to know the IP address of user and setup an exception. Or the user will never receive the reply packets.
Maybe you can use iptables to enable DNAT. Make VPS1 as a router and VPS2 as the internal pptp server.
First of all, you should check if the kernel module ip_nat_pptp and ip_conntrack_pptp is loaded. PPTP use TCP port 1723 to transmit control commands and use GRE to transfer data. Because the GRE has no port, the server has to use the CallID to track the endpoints and implement the NAT. This is called PPTP Passthrough.
# lsmod | grep pptp
If not loaded, then load them.
# modprobe ip_nat_pptp
# modprobe ip_conntrack_pptp
Then you need to enable the IPv4 network forwarding:
# sysctl -w net.ipv4.ip_forward=1
Now you can create iptables rules to accept the incoming and forwarding request:
# iptables -A INPUT -d $VPS1_IP_ADDR -p tcp --dport 1723 -j ACCEPT
# iptables -A INPUT -d $VPS1_IP_ADDR -p gre -j ACCEPT
# iptables -A FORWARD -d $VPS2_IP_ADDR -p tcp --dport 1723 -j ACCEPT
# iptables -A FORWARD -d $VPS2_IP_ADDR -p gre -j ACCEPT
Finally setup the DNAT rules:
# iptables -A PREROUTING -d $VPS1_IP_ADDR -p tcp --dport 1723 -j DNAT --to-destination $VPS2_IP_ADDR
# iptables -A POSTROUTING -d $VPS2_IP_ADDR -p tcp --dport 1723 -j MASQUERADE
You can connect VPS1 with username/password of the pptpd on VPS2 now.

Iptables forward over VPN

I'm conecting to a VPN in Windows to access a remote computer (Linux) with a static IP. From this remote computer I have access to different machines (database, svn, etc.).
I am trying to set up my remote computer to have access from my Windows machine to the database, the svn server, etc, because working on a remote connection is very slow.
So I tried the next lines in /etc/rc.local, but it doesn't work:
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d B1.B2.B3.B4 --dport 89 -j DNAT --to R1.R2.R3.R4:89
/sbin/iptables -A FORWARD -p tcp -d R1.R2.R3.R4 --dport 89 -j ACCEPT
Where B1.B2.B3.B4 is my remote database IP, 89 is the port we use to access the database, and R1.R2.R3.R4 is my remote machine IP.
What is wrong in this configuration?
Thanks.
Make sure ip_forward is enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward
Also, you need to make sure the VPN pushes routes for B1.B2.B3.B4 to your Windows machine when connecting; if not, you'll have to add the routes yourself.
I think the MASQUERADE rule should be enough, but write it like this:
iptables -t nat -A POSTROUTING -s WINDOWS_BOX_VPN_IP -j MASQUERADE
But if you don't want to mess with iptables, you can use SSH to setup tunnels to your remote services, for example (you need some Windows SSH client that can create tunnels, I'm giving an example how to run this from a linux box):
ssh user#R1.R2.R3.R4 -L 8989:B1.B2.B3.B4:89
This will create a tunnel on localhost:8989 which will forward the connection to B1.B2.B3.B4:89 (look for "Local port forwarding", http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/ )
At the end I found Rinetd that allows TCP redirections with an easy configuration.
According to my question, the configuration I had to add in /etc/rinetd.conf is:
R1.R2.R3.R4 89 B1.B2.B3.B4 89
Then I run Rinetd:
/usr/sbin/rinetd
And that's all.
If you want to run it automatically everytime you restart your computer, you can add the command before in the file /etc/rc.local

Iptables or something to redirect IP in gateway (GNU/Linux)

Im writing a bash scripting to account traffic in my network server:
WAN:eth1 -> GNU/Linux Server:eth0 -> Users
The GNU/Linux server uses squid, bind, QoS, mysql, lighttpd.
After an IP exceed the established quota a new QoS rule is applied for that IP (user) too exist one "flag" to decide when is restored the IP counter to Zero.
Some IPs and subnets work without quotas, other gruop of ips/subnets work with new QoS after quota is exceeded, and now I wanna work with a third group with redirection after quota is exceeded.
When an IP exceed the established quota all http traffic must be redirected to host (lighttpd runing on GNU/Linux ) and DROP all other traffic generated for that IP. In webserver exist a webpage with: "You exceed your daily quote of traffic, please wait "x" hours or call to your provider to purchase an extra navigation package" or something like that.
Is possible using a chain, or how can I do that?.
The most topics that I found in Internet, are related to block all and create a new chain to let out to Internet (not work for me). And other redirect only IP by IP, but how can I create something that a "chain" and attach the IPs to must me redirected to can after restore that IPs easly?
Thanks for help and sorry for my poor English :S.
Are you looking for something like this?
iptables -t nat -A PREROUTING -s 192.168.100.66 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -I INPUT 1 -i lo -s 192.168.100.66 -j ACCEPT
iptables -I INPUT 2 -i eth1 -d 192.168.100.66 -j DROP
This will redirect packets from 192.168.100.66 on port 80 to the local webserver on the loopback interface, allow that conversation, then reject all other packets being routed to 192.168.100.66 on the WAN interface.
To restore the connection back to normal you will want to delete those firewall entries:
iptables -t nat -D PREROUTING -s 192.168.100.66 -p tcp --dport 80 -j REDIRECT --to-ports 80
iptables -D INPUT -i lo -s 192.168.100.66 -j ACCEPT
iptables -D INPUT -i eth1 -d 192.168.100.66 -j DROP
Note that iptables itself (well, the xtables-addons extension set providing quota2) can already do the quota matching magic and you can (re)set the values through procfs, combined with REDIRECT as #resmon6 says:
-t nat -s user1addr -m quota2 --name user1 ! --quota 0 -j REDIRECT...
-t nat -s user2addr -m quota2 --name user2 ! --quota 0 -j REDIRECT...
The syntax is a arguably a little odd right now (0 is the initial value only and is independent from the runtime quota test involving the negational !. Noticing this just now, a patch may make it in to unroll this confusing syntax in the future).

Resources