home

Sending all outbound tcp traffic through Tor

Credit: these instructions are just a very slightly modified version of these.

I wanted to send all of my outbound tcp connections through tor. Note that is different than making all connections through tor in that inbound connections are still accepted from non-tor.

The advantage of this approach is that we can still run a webserver and do ssh to the machine with regular speeds.

I run a debian 10 stable box.

Start by installing tor.

sudo apt install tor

Then, add the following to your /etc/tor/torrc

# Tor transparent proxy setup

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
DNSPort 5353

Now run the following script to configure your machine to send all outbound tcp via the tor Transparent proxy.

#!/bin/bash

TOR_UID="$(id -u debian-tor)"
TRANS_PORT="9040"

iptables -F
iptables -t nat -F

iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353
for NET in 127.0.0.0/9 127.128.0.0/10; do
 iptables -t nat -A OUTPUT -d $NET -j RETURN
done

iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT