Curt, I will try and spur some discussion :)
I'm not also sure that forcing connections to the tor port will work. Take for example an http request... you are now forcing that to a tor port, which wants to talk socks right? I would have thought you would need some sort of transparent http proxy setup which was configured to use tor for its external comms? Al ----- Reply message ----- From: "Curt Shaffer" <[email protected]> Date: Tue, Nov 16, 2010 18:19 Subject: IPTables transparent configuration To: <[email protected]> I have been searching the documentation and Internet for days on this setup. Let me give some background first. In this network (172.16.10.0/24) I have a couple of clients. Their default gateway is 172.16.10.1. This system is a Linux server. The Linux server has a LAN IP of 172.16.10.1 and a "WAN" IP of 10.0.0.23. This server is also running TOR. The "WAN" IP address of this system is actually being NATTED again by a firewall to an external IP address. I want all traffic on the 172.16.10.0/24 network to use this Linux server as their default gateway. In that gateway, I want IPTables to send all of the traffic from that subnet through TOR. If use IPTables to NAT the addresses like this: eth0=WAN eth1=LAN iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT General network connectivity works. If I introduce TOR with IPTables like this: iptables -t nat -A OUTPUT -p tcp -m tcp -j REDIRECT --to-ports 9040 iptables -t filter -A OUTPUT -p tcp -m tcp --dport 9040 -j ACCEPT TOR connectivity works from the Linux server, but all of the clients on the 172.16.10.0/24 network no longer work at all. No NAT to the general Internet, no TOR, no nothing. I'm thinking this may be an IPTables problem, but I wanted to post this to this list just to see if anyone else has accomplished such a setup. If you have, please let me know what I may be doing wrong. If you need more detailed information, please ask. *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
