I am new to tor and Kali linux, I have installed Kali linux and installed tor and download tor bundle, but I realised only when I brows through the tor bundle browser is when my traffic is being channel through tor, excluding any other browser and application.
How can I channel all my network traffic on linux to pass through the tor network?
Advertisement
Answer
Add the following to torrc:
AutomapHostsOnResolve 1 DNSPort 53530 TransPort 9040
create a file to contain your iptables rules. For IPv4: /etc/iptables.firewall.rules and for IPv6: /etc/ip6tables.firewall.rules.
Now edit the IPv4 file and add something like the following (make sure to grep for TODO items and follow the instructions):
# Ues the nat table to redirect some traffic to Tor *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # Don't allow Tor traffic to get stuck in a redirect loop... # TODO: Is `tor' your actual Tor user? It might be `debian-tor' or `toranon' or something else. -A OUTPUT -m owner --uid-owner tor -j RETURN # Redirect DNS lookups to Tor. # TODO: Set this to your Tor DNSPort if it's not 53530. -A OUTPUT ! -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 53530 # Do not redirect private networks or loopback. -A OUTPUT -d 10.0.0.0/8 -j RETURN -A OUTPUT -d 172.16.0.0/12 -j RETURN -A OUTPUT -d 192.168.0.0/16 -j RETURN # Redirect HS connections to the TransPort. -A OUTPUT -d 127.192.0.0/10 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 # Redirect all TCP traffic to Tor's TransPort. -A OUTPUT ! -o lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040 COMMIT # Only accept anonymized network traffic in the filter table. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :LAN - [0:0] # Allow loopback -A INPUT -i lo -j ACCEPT # Allow connections that are already established. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Reject incoming connections. -A INPUT -p udp -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-port-unreachable # Accept network traffic for the Tor service itself. # TODO: Tor user? -A OUTPUT -m owner --uid-owner tor -j ACCEPT # Accept DNS requests to the Tor DNSPort. -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53530 -j ACCEPT # Accept outgoing traffic to the local Tor TransPort. -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9040 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # Accept outgoing traffic to the local Tor SOCKSPorts. -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9050 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9150 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # Accept connections on private networks. -A OUTPUT -d 10.0.0.0/8 -j LAN -A OUTPUT -d 172.16.0.0/12 -j LAN -A OUTPUT -d 192.168.0.0/16 -j LAN -A LAN -p tcp -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable -A LAN -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable -A LAN -j ACCEPT # Reject all other outgoing traffic. -A OUTPUT -j REJECT --reject-with icmp-port-unreachable COMMIT
For the IPv6 file, you can do something similar with ip6tables, or just drop all IPv6 traffic.
Now set these rules to be loaded on startup by creating the file /etc/network/if-pre-up.d/firewall with the following contents:
#!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules /sbin/ip6tables-restore < /etc/ip6tables.firewall.rules
Restart Tor if needed, and load your new firewall rules manually by executing the previous commands.