Build Onion (TOR) router with high restrictive firewall, and TORs DNS.

D

Deleted member 55181

Guest


Assumptions: Onion router for web browsing with tor DNS, and unlock 80, and 443 port.

What we need: Some time. Some PC or Server or ThinClient, for me is Fuitsu Futro s450 with 2GB of ram and USB LAN adapter, for future is possible to instal into it Network Card at PCI-e or PCI bus.

1. Install FreeBSD, i thing is no needed to explain.

2. Check Your LAN card:
Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether e4:11:5b:27:2b:fd
        hwaddr e4:11:5b:27:2b:fd
        inet 192.168.1.17 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:e0:4c:53:44:58
        hwaddr 00:e0:4c:53:44:58
        inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@komputer:~ #
For Me:
"em0" is WAN (internet)
"ue0" is LAN (USB network adapter)

3. Configure Your /etc/rc.conf I'm too bored for explain everything. Just copy.

Code:
ifconfig_em0="DHCP"
ifconfig_ue0="inet 10.1.1.1 netmask 255.255.255.0"

dnsmasq_enable="YES"
gateway_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"

firewall_enable="YES"
firewall_script="/etc/ipfw/ipfw.rules"
firewall_rules="/etc/ipfw/ipfw.rules"
firewall_logging="YES"

tor_enable="YES"
4. Install needed tool: package status on Wed Jun 20 23:21:57 CEST 2018

Code:
pkg install tor-0.3.2.10

pkg install dnsmasq-2.79,1
5. When everything is installing correctly time to configure tools.

5a. /usr/local/etc/dnsmasq.conf

Code:
domain-needed
server=8.8.8.8 #primary dns
server=8.8.4.4 #alternate
dhcp-range=set:ue0,10.1.1.2,10.1.1.200,255.255.255.0,24h
dhcp-option=ue0,option:router,10.1.1.1
#log-facility=/var/log/dnsmasq.log
#log-dhcp
#log-async
5c. /usr/local/etc/tor/torrc

Remove oryginal file.

rm -R /usr/local/etc/tor/torrc

now

ee /usr/local/etc/tor/torrc

and paste.

Code:
SOCKSPort 127.0.0.1:10001
TransPort 9050
DNSPort 9053
ATENTION. This TOR configuration request pf for working, and pf file must have special permissions. So:

add:
Code:
own /dev/pf root:_tor
perm /dev/pf 0660
into: /etc/devfs.conf using ee or vi or somting.

5d. Set the NATD using pf.

ee /etc/pf.conf

Code:
ext_if="em0" #WAN
int_if="ue0" #LAN

#set skip on lo #untag it when you want to use normal internet connection
#nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) #untag it too.

rdr pass on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 9050 #tag it when you want to use normal internet
rdr pass on $int_if proto tcp from any to any port 443 -> 127.0.0.1 port 9050 #tag it too

rdr pass on $int_if proto tcp from any to any port 53 -> 127.0.0.1 port 9053 #and it
rdr pass on $int_if proto udp from any to any port 53 -> 127.0.0.1 port 9053 #and it too
5e. Now config the IPFW. :) Need some explain. This config is writing, and will be problem of working when WAN connection will be outside from one of this addres:
192.168.0.0/16
and LAN one of this
10.0.0.0/8

Code:
ipfw -q -f flush

#IPv6
ipfw -q add 100 deny ipv6 from any to any
ipfw -q add 101 deny all from any to any frag

#lo0
ipfw -q add 103 deny all from 172.16.0.0/16 to any
ipfw -q add 104 deny all from any to 172.16.0.0/16


ipfw -q add 105 deny all from 172.17.0.0/16 to any
ipfw -q add 106 deny all from any to 172.17.0.0/16

ipfw -q add 107 deny all from 172.18.0.0/16 to any
ipfw -q add 108 deny all from any to 172.18.0.0/16

ipfw -q add 109 deny all from 172.19.0.0/16 to any
ipfw -q add 110 deny all from any to 172.19.0.0/16

ipfw -q add 111 deny all from 172.20.0.0/16 to any
ipfw -q add 112 deny all from any to 172.20.0.0/16

ipfw -q add 113 deny all from 172.21.0.0/16 to any
ipfw -q add 114 deny all from any to 172.21.0.0/16

ipfw -q add 115 deny all from 172.22.0.0/16 to any
ipfw -q add 116 deny all from any to 172.22.0.0/16

ipfw -q add 117 deny all from 172.23.0.0/16 to any
ipfw -q add 118 deny all from any to 172.23.0.0/16

ipfw -q add 119 deny all from 172.24.0.0/16 to any
ipfw -q add 120 deny all from any to 172.24.0.0/16

ipfw -q add 121 deny all from 172.25.0.0/16 to any
ipfw -q add 122 deny all from any to 172.25.0.0/16

ipfw -q add 123 deny all from 172.26.0.0/16 to any
ipfw -q add 124 deny all from any to 172.26.0.0/16

ipfw -q add 125 deny all from 172.27.0.0/16 to any
ipfw -q add 126 deny all from any to 172.27.0.0/16

ipfw -q add 127 deny all from 172.28.0.0/16 to any
ipfw -q add 128 deny all from any to 172.28.0.0/16

ipfw -q add 129 deny all from 172.29.0.0/16 to any
ipfw -q add 130 deny all from any to 172.29.0.0/16

ipfw -q add 131 deny all from 172.30.0.0/16 to any
ipfw -q add 132 deny all from any to 172.30.0.0/16

ipfw -q add 133 deny all from 172.31.0.0/16 to any
ipfw -q add 134 deny all from any to 172.31.0.0/16

ipfw -q add 800 deny log all from any to any via lo0


#em0 WAN

ipfw -q add 900 deny all from any to any in via em0

ipfw -q add 1000 allow udp from any to any 68 out keep-state via em0
ipfw -q add 1100 allow udp from any to any 67 out keep-state via em0

ipfw -q add 1200 allow tcp from any to any 53 out setup keep-state via em0
ipfw -q add 1300 allow udp from any to any 53 out keep-state via em0

ipfw -q add 1400 allow tcp from any to any 80 out setup keep-state via em0
ipfw -q add 1500 allow tcp from any to any 443 out setup keep-state via em0

ipfw -q add 1600 deny all from any to any via em0

#ue0 LAN

ipfw -q add 1900 allow tcp from any 80 to any out via ue0
ipfw -q add 2000 allow tcp from any 443 to any out via ue0

ipfw -q add 2100 deny log all from any to any out via ue0

ipfw -q add 2200 allow udp from any to any 68 in keep-state via ue0
ipfw -q add 2300 allow udp from any to any 67 in keep-state via ue0

ipfw -q add 2400 allow tcp from any to any 53 in setup keep-state via ue0
ipfw -q add 2500 allow udp from any to any 53 in keep-state via ue0

ipfw -q add 2600 allow tcp from any to any 80 in setup keep-state via ue0
ipfw -q add 2700 allow tcp from any to any 443 in setup keep-state via ue0

ipfw -q add 3000 deny all from any to any via ue0

#BLOCKING
ipfw -q add 3010 deny all from 10.0.0.0/8 to any
ipfw -q add 3020 deny all from any to 10.0.0.0/8
ipfw -q add 3030 deny all from 192.168.0.0/16 to any
ipfw -q add 3040 deny all from any to 192.168.0.0/16

ipfw -q add 3111 deny all from any to any

6. From empirical experience I can say if TOR from undetermined reasons when is start at boot time is little slow... .. . But I found the solution. Soluton is reload tor few second (for example 15) after start the machine. So for this purpose I used /etc/crontab and #bash script.

So: #ee tor.sh

Code:
#!/bin/bash
sleep 15
service tor restart
save change

Add eXecutable flag
#chmod +x tor.sh

add this entrie at end of your /etc/crontab

Code:
@reboot root /bin/sh /root/tor.sh
7. If you want to have new identity periodically use crontab.
for example:
Code:
@hourly root /bin/sh /root/tor.sh
8. reboot the machine and keep your fingers crossed if I do not forget about something. :F Have a nice more studying
reboot

9. I spend on it one month of time. If is something unclean consult uncle google, read manual, handbook, ask someone smarter.. . Bye.

PS. I wonder if the VPN works under the TOR
https://media.giphy.com/media/dsHwXhQlybPY4/giphy.gif
 
Last edited by a moderator:
Top