Q: create Tor anonymising middlebox osx
Hello,
i would like to create an tor anonymising middlebox (mac mini running mavericks and internet-sharing enabled). I don't know if this is the correct way to do it, so i hope you guys can give me some helpfull advise here. The goal is to redirect all external traffic trhough tor. Even https, imap and other connection types not just http request on port 80. This should be done for every device on the network (even ios devices), without to configure them sepreately. thats why i'm using the transparent proxy setup later on.
here is what i did:
i installed tor with brew and configured it with the following options
NATDPort 9040
NATDListenAddress 127.0.0.1
DNSPort 9053
DNSListenAddress 127.0.0.1
im using NATDPort because i could not get the TransPort Option to work. Tor tells me that Transport and TransListenAddress is not available in my Build. I have no idea how to compile tor on osx and getting these two options to work. The tor manual says that NATDPort is for systems that could not use Transport.
To redirect all external traffic through tor i use the following pf anchor. I found it on the tor wiki. It required to create a second loopback device, which i could not do either, so i tried to use the bridge100 device which was created by the internet-sharing option on Mavericks instead.
# destinations you don't want routed through Tor
non_tor = "{ 192.168.1.0/24 192.168.2.0/24 }"
# Tor's TransPort
trans_port = "9040"
#dns
rdr pass on bridge100 inet proto udp to 192.168.2.1 port domain -> 127.0.0.1 port 54
#http
rdr pass on bridge100 inet proto udp to 192.168.2.1 port http -> 127.0.0.1 port 3131
rdr pass on bridge100 inet proto tcp all -> 127.0.0.1 port $trans_port
#rdr pass on bridge100 inet proto udp to port domain -> 127.0.0.1 port domain
block return out
pass out quick on lo0 route-to bridge100 inet proto tcp to 127.192.0.0/10 flags S/SA modulate state
pass quick on { lo0 bridge100 } keep state
# uncomment the following line if you need to be able to connect to this system
# from elsewhere on your $non_tor subnet
#pass in proto tcp from $non_tor to $non_tor port { 22, 25, 80, 110 } flags S/SA keep state
pass in proto tcp from $non_tor to $non_tor flags S/SA keep state
pass out quick inet proto tcp user rene flags S/SA modulate state
pass out quick route-to bridge100 inet proto udp to port domain keep state
pass out quick inet to $non_tor keep state
pass out route-to bridge100 inet proto tcp all flags S/SA modulate state
i'm using pdnsd to cache dns queries, thats why im redirecting all port 53 requests to the localhost on port 54. Also i redirect port 80 requests to my transparent privoxy proxy on port 3131 of localhost. privoxy uses polipo to access tor at 127.0.0.1 port 9050 again. This is against unwanted cookies and trackers.
i'm not familiar with pf. The rules get loaded, properly, and i can see that there are requests sent to 127.0.0.1 port 9040. the dns queries do work, i can resolve hostnames through tor, but somehow i cannot establish any connection with that pf-anchor in combination with the NATDPort setting of tor. When i try to surf the web (just http not even https) i get a white page with just a body tag and no content.
i know this can be done with linux, but i don't want to change the os just for that.
I hope that anyone is able to help me here, until then i have to use the only-redirect-port-80 option
Happy Holidays and a Happy new Year!
Posted on Dec 31, 2013 7:46 AM