Browse Source

experimental support for ipv6-through-tor. still untested because nixos is still compiling(tm)

rework-profiles
parent
commit
c491b81f19
Signed by: govanify GPG Key ID: DE62E1E2A6145556
2 changed files with 99 additions and 2 deletions
  1. +93
    -1
      common/tor.nix
  2. +6
    -1
      common/xdg.nix

+ 93
- 1
common/tor.nix View File

@ -7,6 +7,7 @@ let
dnsPort = "5353";
torUid = toString config.ids.uids.tor;
ianaReserved = "0.0.0.0/8 100.64.0.0/10 169.254.0.0/16 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3";
ianaReservedIPv6 = "::/0 ::/128 ::1/128 ::ffff:0:0/96 ::ffff:0:0:0/96 64:ff9b::/96 100::/64 2001::/32 2001:20::/28 2001:db8::/32 2002::/16 fc00::/7 fe80::/10 ff00::/8";
in {
options = {
modules.tor.transparentProxy = {
@ -26,11 +27,21 @@ in {
default = "10.192.0.0/10";
description = "Cidr that tor will use to map tor accessed hosts to.";
};
virtualNetworkIPv6 = mkOption {
type = types.str;
default = "[FC00::]/7";
description = "Cidr that tor will use to map tor accessed hosts to in IPv6.";
};
exceptionNetworks = mkOption {
type = types.listOf types.str;
default = [ "127.0.0.1/8" ];
description = "Cidr networks to access in the clear.";
};
exceptionNetworksIPv6 = mkOption {
type = types.listOf types.str;
default = [ "::1/128" ];
description = "Cidr networks to access in the clear in IPv6.";
};
honorFirewallPorts = mkOption {
type = types.bool;
default = true;
@ -45,8 +56,9 @@ in {
enable = true;
extraConfig = ''
VirtualAddrNetworkIPv4 ${cfg.virtualNetwork}
VirtualAddrNetworkIPv6 ${cfg.virtualNetworkIPv6}
AutomapHostsOnResolve 1
TransPort ${transPort}
TransPort ${transPort} IPv6Traffic PreferIPv6
DNSPort ${dnsPort}
'';
};
@ -54,6 +66,7 @@ in {
networking.firewall.enable = true;
networking.firewall.extraCommands = let
transExceptions = concatStringsSep " " cfg.exceptionNetworks;
transExceptionsIPv6 = concatStringsSep " " cfg.exceptionNetworksIPv6;
in ''
### flush iptables
iptables -F
@ -121,6 +134,85 @@ in {
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
### IPv6 ###
### flush iptables
ip6tables -F
ip6tables -t nat -F
### set iptables *nat
#nat .onion addresses
ip6tables -t nat -A OUTPUT -d ${cfg.virtualNetworkIPv6} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${transPort}
#nat dns requests to Tor
ip6tables -t nat -A OUTPUT -d ::1/128 -p udp -m udp --dport 53 -j REDIRECT --to-ports ${dnsPort}
#don't nat the Tor process, the loopback, or the local network
ip6tables -t nat -A OUTPUT -m owner --uid-owner ${torUid} -j RETURN
ip6tables -t nat -A OUTPUT -o lo -j RETURN
for _except in ${transExceptionsIPv6 + " " + ianaReservedIPv6}; do
ip6tables -t nat -A OUTPUT -d $_except -j RETURN
done
#redirect whatever fell thru to Tor's TransPort
ip6tables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports ${transPort}
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
${optionalString cfg.honorFirewallPorts ''
${concatMapStringsSep "\n" (port: ''ip6tables -A INPUT -i ${cfg.inputNic} -p tcp --dport ${toString port} -m state --state NEW -j ACCEPT'')
(unique (config.networking.firewall.allowedTCPPorts ++ config.services.openssh.ports))}
''}
ip6tables -A INPUT -j DROP
#*filter FORWARD
ip6tables -A FORWARD -j DROP
#*filter OUTPUT
#possible leak fix. See warning.
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP
ip6tables -A OUTPUT ! -o lo ! -d ::1 ! -s ::1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
ip6tables -A OUTPUT ! -o lo ! -d ::1 ! -s ::1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
#allow Tor process output
ip6tables -A OUTPUT -o ${cfg.outputNic} -m owner --uid-owner ${torUid} -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
#allow loopback output
ip6tables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
#tor transproxy magic
ip6tables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport ${transPort} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
#allow access to lan hosts in ${transExceptionsIPv6}
for _except in ${transExceptionsIPv6}; do
ip6tables -A OUTPUT -d $_except -j ACCEPT
done
#Log & Drop everything else.
ip6tables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
ip6tables -A OUTPUT -j DROP
#Set default policies to DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
'';
};
}

+ 6
- 1
common/xdg.nix View File

@ -59,7 +59,12 @@
# '';
#});
# todo: add w3m
# this works but this also breaks nixos build
w3m = super.w3m.overrideAttrs (oldAttrs: rec {
postPatch = ''
sed -i 's/"~\/\.w3m"/"~\/\.config\/w3m"/' $(grep -Rl '"~\/\.w3m"')
'';
});
};
};


Loading…
Cancel
Save