Tor remote transparent proxy in the local network with pure iptables routing

by Martin Sand   Last Updated August 13, 2019 20:00 PM - source

Disclaimer: this is for self-study and to use a solution which I understand. I know there are available solutions.

I have a router that connects to the Internet. I have a Raspberry-tor that I want to use to anonymize Internet traffic. And I have a desktop client that is supposed to route its traffic through the Raspberry-tor. The routing on the desktop client and the Raspberry-tor should only be done through iptables. I am using the transparent proxy configuration on the Raspberry-tor.

Question I assume this is due to the iptables setup on the Raspberry-tor. How do I get my traffic from the desktop client anonymized by the Raspberry gate?

Illustration of the local network

local network setup

Raspberry-tor /etc/tor/torrc (only relevant config)

User debian-tor
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransPort 192.168.1.130:9040
DNSPort 9053
DNSPort 192.168.1.130:9053

Raspberry-toe: iptables changes

iptables -F
iptables -t nat -F
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner debian-tor -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner root -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner --uid-owner debian-tor -j RETURN
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9040

Desktop client: iptables changes

iptables -t nat -F
iptables -P FORWARD ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.1.130:80
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 192.168.1.130:443
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE

Local curl on Raspberry-tor works:

curl https://check.torproject.org | grep -i "congratulations"
Congratulations. This browser is configured to use Tor.

Curl on desktop client does not work out of the box:

curl https://check.torproject.org/ | grep -i "congratulations"
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to check.torproject.org:443


Related Questions


DNS and transparent intercepting squid

Updated June 09, 2015 02:00 AM

Reverse TCP proxy using HAProxy

Updated June 15, 2015 23:00 PM