Browse Source

tor: update the module

master
parent
commit
0cabc3d87e
Signed by: govanify GPG Key ID: DE62E1E2A6145556
4 changed files with 27 additions and 19 deletions
  1. +1
    -1
      common/default.nix
  2. +19
    -18
      component/tor.nix
  3. +7
    -0
      machines/alastor/default.nix
  4. BIN
      secrets/deployment.nix

+ 1
- 1
common/default.nix View File

@ -19,7 +19,7 @@
# basic set of tools & ssh
environment.systemPackages = with pkgs; [
wget neovim fzf tmux gitAndTools.gitFull screen htop
wget neovim fzf tmux gitAndTools.gitFull git-crypt screen htop
rsync imagemagick mosh gnupg manpages ag bat any-nix-shell
];


+ 19
- 18
component/tor.nix View File

@ -3,8 +3,8 @@
with lib;
let
cfg = config.modules.tor.transparentProxy;
transPort = "9040";
dnsPort = "5353";
transPort = 9040;
dnsPort = 5353;
torUid = toString config.ids.uids.tor;
ianaReserved = "0.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3";
ianaReservedIPv6 = "::/0 ::/128 ::1/128 ::ffff:0:0/96 ::ffff:0:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8";
@ -52,16 +52,17 @@ in {
config = mkIf cfg.enable {
services.tor = {
# makes ourselves reachable through ssh, keys and hostname in /var/lib/tor
hiddenServices.ssh = { map = [{port = 22;}]; };
relay.onionServices.ssh = { map = [{port = 22;}]; };
enable = true;
# enabling the sandbox breaks stuff, should be checked!
extraConfig = ''
VirtualAddrNetworkIPv4 ${cfg.virtualNetwork}
VirtualAddrNetworkIPv6 ${cfg.virtualNetworkIPv6}
AutomapHostsOnResolve 1
TransPort ${transPort} IPv6Traffic PreferIPv6
DNSPort ${dnsPort}
'';
settings = {
VirtualAddrNetworkIPv4="${cfg.virtualNetwork}";
VirtualAddrNetworkIPv6="${cfg.virtualNetworkIPv6}";
AutomapHostsOnResolve=true;
#TransPort=[ transPort ["IPv6Traffic" "PreferIPv6"]];
TransPort=transPort;
DNSPort=dnsPort;
};
};
networking.nameservers = ["127.0.0.1"];
networking.firewall.enable = true;
@ -75,10 +76,10 @@ in {
### set iptables *nat
#nat .onion addresses
iptables -t nat -A OUTPUT -d ${cfg.virtualNetwork} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${transPort}
iptables -t nat -A OUTPUT -d ${cfg.virtualNetwork} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
#nat dns requests to Tor
iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${dnsPort}
iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${toString dnsPort}
#don't nat the Tor process, the loopback, or the local network
iptables -t nat -A OUTPUT -m owner --uid-owner ${torUid} -j RETURN
@ -89,7 +90,7 @@ in {
done
#redirect whatever fell thru to Tor's TransPort
iptables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${transPort}
iptables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
@ -120,7 +121,7 @@ in {
iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
#tor transproxy magic
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport ${transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport ${toString transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow access to lan hosts in ${transExceptions}
for _except in ${transExceptions}; do
@ -149,10 +150,10 @@ in {
### set iptables *nat
#nat .onion addresses
ip6tables -t nat -A OUTPUT -d ${cfg.virtualNetworkIPv6} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${transPort}
ip6tables -t nat -A OUTPUT -d ${cfg.virtualNetworkIPv6} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
#nat dns requests to Tor
ip6tables -t nat -A OUTPUT -d ::1/128 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${dnsPort}
ip6tables -t nat -A OUTPUT -d ::1/128 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${toString dnsPort}
#don't nat the Tor process, the loopback, or the local network
ip6tables -t nat -A OUTPUT -m owner --uid-owner ${torUid} -j RETURN
@ -163,7 +164,7 @@ in {
done
#redirect whatever fell thru to Tor's TransPort
ip6tables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${transPort}
ip6tables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${toString transPort}
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
@ -194,7 +195,7 @@ in {
ip6tables -A OUTPUT -d ::1/128 -o lo -j ACCEPT
#tor transproxy magic
ip6tables -A OUTPUT -d ::1/128 -p tcp -m tcp --dport ${transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
ip6tables -A OUTPUT -d ::1/128 -p tcp -m tcp --dport ${toString transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow access to lan hosts in ${transExceptionsIPv6}
for _except in ${transExceptionsIPv6}; do


+ 7
- 0
machines/alastor/default.nix View File

@ -41,4 +41,11 @@
home.file."Pictures/wallpaper.png".source = ./wallpaper.png;
};
#modules.tor.transparentProxy = {
#enable = true;
#outputNic = "wlp3s0";
#inputNic = "wlp3s0";
#};
}

BIN
secrets/deployment.nix View File


Loading…
Cancel
Save